Scribd
Upload
31 views5 pages

Sample Events

The document provides information about FortiSIEM integration with Fortinet FortiGate firewalls. It describes what data is discovered and monitored via different protocols, lists supported event types, and provides configuration instructions for syslog, SNMP, REST API, and SSH integration.

Uploaded by

Mohammad Ali
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
31 views5 pages

Sample Events

The document provides information about FortiSIEM integration with Fortinet FortiGate firewalls. It describes what data is discovered and monitored via different protocols, lists supported event types, and provides configuration instructions for syslog, SNMP, REST API, and SSH integration.

Uploaded by

Mohammad Ali
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Sample Events

<134>[2016-04-26 16:10:07] EFW: CONN: prio=1 id=00600005 rev=1


event=conn_close_natsat
action=close rule=if3_net_nat_out conn=close connipproto=TCP connrecvif=If3
connsrcip=192.168.99.13 connsrcport=43347 conndestif=If1 conndestip=1.1.1.1
conndestport=443
connnewsrcip=1.1.1.2 connnewsrcport=65035 connnewdestip=1.1.1.1
connnewdestport=443
origsent=1395 termsent=5763 conntime=83
<134>[2016-04-26 16:10:11] EFW: ALG: prio=1 id=00200001 rev=1
event=alg_session_open
algmod=ftp algsesid=95238 connipproto=TCP connrecvif=If1 connsrcip=1.1.1.3
connsrcport=59576
conndestif=core conndestip=1.1.1.4 conndestport=21 origsent=100 termsent=44
<134>[2016-04-26 16:10:05] EFW: IPSEC: prio=1 id=01800211 rev=2
event=reconfig_IPsec
action=ipsec_reconfigured
FortiSIEM 7.0.2 External Systems Configuration Guide 491
Fortinet Inc.
Firewalls
Cyberoam Firewall
⚫ Integration Points
⚫ Event Types
⚫ Rules
⚫ Reports
⚫ Configuration
⚫ Setting for Access Credentials
⚫ Sample Events
Integration Points
Method Information
discovered
Metrics collected LOGs collected Used for
Syslog Host name,
Reporting IP
None Connection – permit and deny,
system events, malware events
Security
monitoring
Event Types
In ADMIN > Device Support > Event Types, search for "Cyberoam" to see the event types
associated with this device.
Rules
No specific rules are written for Cyberoam firewall but generic firewall rules will apply.
Reports
No specific reports are written for Cyberoam firewall but generic firewall rules will apply.
Configuration
Configure Cyberoam firewall to send logs to FortiSIEM in the supported format (see Sample Events ).
Settings for Access Credentials
None required.
Sample Events
<30>date=2019-07-10 time=11:06:48 timezone="GMT" device_name="CR50iNG" device_
id=C162213098933-QQ6REI
log_id=010101600001 log_type="Firewall" log_component="Firewall Rule"
log_subtype="Allowed"
FortiSIEM 7.0.2 External Systems Configuration Guide 492
Fortinet Inc.
Firewalls
status="Allow" priority=Information duration=0 fw_rule_id=12 user_name=""
user_gp="" iap=1
ips_policy_id=0 appfilter_policy_id=1 application="" application_risk=0
application_
technology=""
application_category="" in_interface="PortA" out_interface="" src_mac=00: 0:00:
0:10: 0
src_ip=10.0.70.17 src_country_code=AP dst_ip=1.1.1.1 dst_country_code=IRL
protocol="TCP"
src_port=61244 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0
tran_src_ip=
tran_src_port=0
tran_dst_ip=10.0.0.13 tran_dst_port=8080 srczonetype="LAN" srczone="ZONE1"
dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start"
connid="3340934816" vconnid=""
FortiSIEM 7.0.2 External Systems Configuration Guide 493
Fortinet Inc.
Firewalls
Dell SonicWALL Firewall
⚫ What is Discovered and Monitored
⚫ Event Types
⚫ Rules
⚫ Reports
⚫ Configuration
⚫ Example Syslog
⚫ Settings for Access Credentials
What is Discovered and Monitored
Protocol Information
Discovered
Metrics collected Used for
SNMP Host name,
Hardware model,
Network interfaces,
Operating system
version
CPU Utilization, Memory utilization and Firewall Session
Count
Availability and
Performance
Monitoring
Syslog Device type All traffic and system logs Availability,
Security and
Compliance
Event Types
In ADMIN > Device Support > Event Types, search for "sonicwall" to see the event types associated
with Dell
SonicWALL firewalls.
Rules
There are no predefined rules for Dell SonicWALL firewalls.
Reports
There are no predefined reports for Dell SonicWALL firewalls.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device
as directed in its
product documentation. For more information, refer to sections "Discovery Settings" and "Setting
Credentials" in the
FortiSIEM 7.0.2 External Systems Configuration Guide 494
Fortinet Inc.
Firewalls
User Guide.
⚫ Dell SonicWALL Firewall Administrator's Guide (PDF)

Syslog
1. Log in to your SonicWALL appliance.
2. Go to Log > Syslog.
Keep the default settings.
3. Under Syslog Servers, click Add.
The Syslog Settings wizard will open.
4. Enter the IP Address of your FortiSIEM Supervisor or Collector.
Keep the default Port setting of 514.
5. Click OK.
6. Go to Firewall > Access Rules.
7. Select the rule that you want to use for logging, and then click Edit.
8. In the General tab, select Enable Logging, and then click OK.
Repeat for each rule that you want to enable for sending syslog to FortiSIEM.
Your Dell SonicWALL firewall should now send syslog to FortiSIEM.
Example Syslog
Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:06"
fw=1.1.1.1
pri=6 c=262144 m=98
msg="Connection Opened" n=23419 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN
proto=tcp/50000
Settings for Access Credentials
SNMP Access Credentials for All Devices
Use these Access Method Definition settings to allow FortiSIEM to access your device over SNMP.
Set the Name and
Community String.
Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>
FortiSIEM 7.0.2 External Systems Configuration Guide 495
Fortinet Inc.
Firewalls
Fortinet FortiGate Firewall
Support Added: FortiSIEM 4.7.2
Last Modification: FortiSIEM 7.0.0
Vendor Version Tested: FortiGate 7.2.4
Vendor: Fortinet
Product Information: https://www.fortinet.com/products/next-generation-firewall
⚫ What is Discovered and Monitored

⚫ Overview

⚫ Event Types

⚫ Rules

⚫ Reports

⚫ Suggested Integration

⚫ Configuration FortiOS REST API Integration

⚫ Configuring FortiSIEM through FortiOS REST API

⚫ Configuring FortiGate to send Syslog to FortiSIEM

⚫ SNMP Monitoring of FortiGate

⚫ Configuring SNMP v1 or v2 on FortiGate

⚫ Configuring SNMP v3 on FortiGate

⚫ Configuring SSH on FortiSIEM to communicate with FortiGate

⚫ Configuring FortiSIEM for SNMP and SSH to FortiGate

⚫ Configuring FortiAnalyzer to send logs to FortiSIEM


⚫ Configuring FortiGate to send Netflow via CLI
⚫ Configuring FortiGate to send Application names in Netflow via GUI
⚫ Example of FortiGate Syslog parsed by FortiSIEM
What is Discovered and Monitored
Protocol Information
Discovered
Metrics collected Used for
Netflow Firewall traffic, application detection and application link
usage metrics
Security
monitoring and
compliance,
Firewall Link
Usage and
Application
monitoring
FortiSIEM 7.0.2 External Systems Configuration Guide 496
Fortinet Inc.
Firewalls
Protocol Information
Discovered
Metrics collected Used for
REST API Host name, Model,
Version, Interfaces,
Serial Number, FortiAP
and FortiSwitch
managed by FortiGate.
Uptime, CPU, Memory and Disk utilization, Network
Interface metrics, VPN metrics, Firewall Connection
metrics
Performance
and Availability
Monitoring
SNMP Host name, Hardware
model, Network
interfaces, Operating
system version
Uptime, CPU and Memory utilization, Network Interface
metrics (utilization, bytes sent and received, packets sent
and received, errors, discards and queue lengths).
For 5xxx series firewalls, per CPU utilization (event PH_
DEV_MON_FORTINET_PROCESSOR_USGE)
Availability and
Performance
Monitoring
Syslog Device type All traffic and system logs Availability,
Security and
Compliance
SSH Running configuration Configuration Change Performance
Monitoring,
Security and
Compliance
Overview
In 7.0.0, FortiSIEM has expanded discovery support for FortiGate firewalls using API key-based
discovery with the
following API Discovery enhancements:
⚫ FortiGate software modules and their expiry data if applicable can be found under Device ->

Software -> Installed


Software
⚫ FortiGate running processes now listed under Device -> Software -> Running Applications

⚫ Processor core list can now be found under Device -> Hardware -> Processors

⚫ Physical memory utilization can now be found under Device -> Hardware -> Storage

⚫ FortiGate startup config backups can be found under Device -> Configuration.

⚫ SSH discovery is no longer required for config backups, backups are collected via API

⚫ SNMP discovery is no longer required for FortiGate performance data collection.

FortiGate Security Fabric Discovery Support


FortiSIEM now supports discovery of Fortinet Security Fabric member devices.
If a discovered firewall is a member of, or the root firewall of a security fabric, FortiSIEM can now
discover the directly
configured Firewall, and do a light (basic data) discovery of adjacent FortiGate firewalls in the fabric.
For more
information about Fortinet Security Fabric, see the following documentation:
https://docs.fortinet.com/security-fabric.
FortiSIEM 7.0.2 External Systems Configuration Guide 497
Fortinet Inc.
Firewalls
The above screenshot is an example of after directly discovering a FortiGate root firewall in the
security fabric, that a
basic discovery is automatically done of all other FortiGate firewalls in the fabric.
In addition to supporting discovery of devices attached to the Fortinet Security Fabric, there is a new
concept of a deep
(complete) discovery, and shallow (light) discovery of FortiGate devices.
If you configure a FortiGate firewall with an API key, and configure that FortiGate in FortiSIEM for
discovery, the
complete information of that device, attached switches, and access points will be imported.
FortiSIEM will also look at attached security fabric devices, and do a light discovery of adjacent
FortiGate firewalls only.
This is considered a "light" discovery. This consists of basic information such as:
⚫ hostname

⚫ access IP (usually the management IP of the Firewall)

⚫ version

⚫ serial number

In order to get complete information about every firewall, you must configure an API key and directly
discover each one
within FortiSIEM.
Fortinet Security Fabric - Risk Rating Dashboard
For FortiGate firewalls with security fabric enabled, and is joined to a fabric, the root firewall appliance
begins
aggregating security risk data from all member devices for reporting display.
If you directly discover a FortiGate operating as the root firewall of the security fabric, you will also
populate the Security
Fabric - Security Rating report data into FortiSIEM. This will populate the dashboard found under the
Dashboard
Security Fabric -> Security Rating > Security Posture.
Note for Managed Security Service Providers (MSSPs): You must be in organization scope to see this
dashboard.
FortiSIEM 7.0.2 External Systems Configuration Guide 498
Fortinet Inc.
Firewalls
The

You might also like