firewall.fortinet
- Former user (Deleted)
- Laszlo Frazer
- Jaime Menendez Llana
Purpose
Use tags in this category to identify events generated by Fortinet FortiGate Next-Generation Firewall, Unified Threat Management (UTM), FortiAnalyzer, Fortinet Secure Access Service Edge (SASE), and FortiEDR.
For Fortinet logs in CEF format, use cef0.fortinet. For Fortinet email security, use mail.fortinet. For Fortinet identity management, use iam.fortinet.
Send it
Data should be sent using the Devo Relay.
Log formats
Fortinet logs may be in comma separated value format or space separated value format. Both formats are widely used. Generally, Devo uses comma separated value by default. To parse your logs with the space separated value option, add .noncsv to the target tag using the relay rule.
Example relay rules
For
FortiAnalyzer, create a syslog server using the relay IP and a free port.
FortiSASE
Fortinet versions > 5.6 with legacy-reliable mode.
Source message:
Source data: type=\"{0,1}([^\s^\"]+)\"{0,1}\ssubtype=\"{0,1}([^\s^\"]+)\"{0,1}
Source tag:
Target tag: firewall.fortinet.\\D1.\\D2.noncsv
Sent without syslog tag: true
Stop processing: trueThis example is for space separated value format.
Using the FortiGate GUI, go to Log & Report → Log Settings and select Remote Logging and Archiving to configure the Devo relay as a remote syslog server. Then run these FortiGate CLI commands.
config log syslogd setting
set status enable
set csv enable
set legacy-reliable
set facility local7
set server <relay_ip>
set port <relay_port>
endIf the FortiGate version is lower or equal to 5.6, enable mode udp instead of legacy-reliable.
For FortiGate logs containing quotes, an example rule is
Source message:
Source data: ,type=\"([^,]+)\",subtype=\"([^,]+)\"(,|$)
Source tag:
Target tag: firewall.fortinet.\\D1.\\D2
Sent without syslog tag: true
Stop processing: trueFor FortiGate logs not containing quotes
Source message:
Source data: ,type=([^,]+),subtype=([^,]+)(,|$)
Source tag:
Target tag: firewall.fortinet.\\D1.\\D2
Sent without syslog tag: true
Stop processing: true
For FortiEDR
Source message:
Source data:
Source tag:
Target tag: firewall.fortinet.fortiedr.endpoint
Sent without syslog tag: true
Stop processing: trueSecure it
Use the security resources for firewall.all.traffic with Fortinet.
Secure firewall.fortinet.event.dns using resources for domains.all.
Secure authentication into Fortinet devices using resources for auth.all.
Devo Exchange has Fortinet-specific alerts:
SecOpsFortinetHighRiskAppUse
SecOpsFortinetCriticalAppUse
VPN
Many organizations require users to enable VPN when working. To determine which users need help enabling the VPN, create a list of users who have already successfully connected.
from firewall.fortinet.event.endpoint
where eq(logdesc,"FortiClient VPN connected") group by userRisk Levels
Use the risk levels computed by Zscaler to identify problematic devices by creating a gradient alert.
from firewall.fortinet.event.securityRating
group every 1d by auditreporttype,devName
select max(criticalcount) as criticalMalicious wireless access points
An analyst wants to be notified of unauthorized wireless access points so they can be removed from the organization’s campus. Removing rogue access points can prevent users from accidentally connecting to a malicious network.
from firewall.fortinet.event.wireless
where toktains(action,"rogue-ap") or toktains(action,"fake-ap"), not has(action,"-off")
group by devName, devID, action,
split(split(rawMessage,"ssid=\"",1),"\"",0) as ssid,
split(split(rawMessage,"manuf=\"",1),"\"",0) as manufacturer
select
max(int(split(split(rawMessage,"signal=",1)," ",0))) as signalVoice over IP data exfiltration
A user is suspected of placing calls to conduct insider trading. Identify who is being called from their SIP address.
from firewall.fortinet.utm.voip
where eq(kind,"call"), eq(status,"end")
group by `from`, toEavesdropping
Security noticed a SIP phone was being used to listen to board meetings. The attacker had started the call in the morning and left it running during confidential discussions in the afternoon. Identify other SIP phones in conference rooms that have placed unusually long calls, which might indicate attempts to access private managerial discussions. Use this information to determine if access to SIP phones needs to be restricted.
from firewall.fortinet.utm.voip
where eq(kind,"call"), eq(status,"end"),
int(duration)>(4*60)//calls over four hours
group by `from` select count() as long_calls, max(int(duration)) as longest_callRobocalling
Compromised SIP phones may be used to illegally place marketing robocalls. Find SIP phones that are placing calls to a high number of recipients so they can be isolated from the network.
from firewall.fortinet.utm.voip
where eq(kind,"call")
group by `from`
select length(collectdistinct(to)) as recipients
where recipients>100Tags and tables
| firewall.fortinet |
firewall.fortinet.anomaly.anomaly | firewall.fortinet.anomaly.anomaly |
firewall.fortinet.anomaly.anomaly.noncsv |
|
| firewall.fortinet.event |
firewall.fortinet.event.admin | firewall.fortinet.event.admin |
firewall.fortinet.event.admin.noncsv |
|
firewall.fortinet.event.config | firewall.fortinet.event.config |
firewall.fortinet.event.config.noncsv |
|
firewall.fortinet.event.connector | firewall.fortinet.event.connector |
firewall.fortinet.event.connector.noncsv |
|
firewall.fortinet.event.wireless | firewall.fortinet.event.wireless |
firewall.fortinet.event.wireless.noncsv |
|
firewall.fortinet.event.dhcp | firewall.fortinet.event.dhcp |
firewall.fortinet.event.dhcp.noncsv |
|
firewall.fortinet.event.dns | firewall.fortinet.event.dns |
firewall.fortinet.event.dns.noncsv |
|
firewall.fortinet.event.endpoint | firewall.fortinet.event.endpoint |
firewall.fortinet.event.endpoint.noncsv |
|
firewall.fortinet.event.fgd | firewall.fortinet.event.fgd |
firewall.fortinet.event.fgd.noncsv |
|
firewall.fortinet.event.ha | firewall.fortinet.event.ha |
firewall.fortinet.event.ha.noncsv |
|
firewall.fortinet.event.his-performance | firewall.fortinet.event.hisPerformance |
firewall.fortinet.event.his-performance.noncsv |
|
firewall.fortinet.event.ipsec | firewall.fortinet.event.ipsec |
firewall.fortinet.event.ipsec.noncsv |
|
firewall.fortinet.event.pattern | firewall.fortinet.event.pattern |
firewall.fortinet.event.pattern.noncsv |
|
firewall.fortinet.event.perf-historical | firewall.fortinet.event.perfHistorical |
firewall.fortinet.event.perf-historical.noncsv |
|
firewall.fortinet.event.router | firewall.fortinet.event.router |
firewall.fortinet.event.router.noncsv |
|
firewall.fortinet.event.sdwan | firewall.fortinet.event.sdwan |
firewall.fortinet.event.sdwan.noncsv |
|
firewall.fortinet.event.security-rating | firewall.fortinet.event.securityRating |
firewall.fortinet.event.security-rating.noncsv |
|
firewall.fortinet.event.sslvpn-session | firewall.fortinet.event.sslvpnSession |
firewall.fortinet.event.sslvpn-session.noncsv |
|
firewall.fortinet.event.sslvpn-user | firewall.fortinet.event.sslvpnUser |
firewall.fortinet.event.sslvpn-user.noncsv |
|
firewall.fortinet.event.switch-controller | firewall.fortinet.event.switchController |
firewall.fortinet.event.switch-controller.noncsv |
|
firewall.fortinet.event.system | firewall.fortinet.event.system |
firewall.fortinet.event.system.noncsv |
|
firewall.fortinet.event.user | firewall.fortinet.event.user |
firewall.fortinet.event.user.noncsv |
|
firewall.fortinet.event.system | firewall.fortinet.event.system |
firewall.fortinet.event.system.noncsv |
|
firewall.fortinet.event.vpn | firewall.fortinet.event.vpn |
firewall.fortinet.event.vpn.noncsv |
|
firewall.fortinet.event.wad | firewall.fortinet.event.wad |
firewall.fortinet.event.wad.noncsv |
|
firewall.fortinet.fortianalyzer.analyzer | firewall.fortinet.fortianalyzer.analyzer |
firewall.fortinet.fortiedr.endpoint | firewall.fortinet.fortiedr.endpoint |
firewall.fortinet.ips.anomaly | firewall.fortinet.ips.anomaly |
firewall.fortinet.ips.anomaly.noncsv |
|
| firewall.fortinet.securityevent |
firewall.fortinet.securityevent.antiexploit | firewall.fortinet.securityevent.antiexploit |
firewall.fortinet.securityevent.antiexploit.noncsv |
|
firewall.fortinet.securityevent.av | firewall.fortinet.securityevent.av |
firewall.fortinet.securityevent.av.noncsv |
|
firewall.fortinet.securityevent.removablemediaaccess | firewall.fortinet.securityevent.removablemediaaccess |
firewall.fortinet.securityevent.removablemediaaccess.noncsv |
|
firewall.fortinet.securityevent.sandboxing | firewall.fortinet.securityevent.sandboxing |
firewall.fortinet.securityevent.sandboxing.noncsv |
|
firewall.fortinet.securityevent.sslvpn | firewall.fortinet.securityevent.sslvpn |
firewall.fortinet.securityevent.sslvpn.noncsv |
|
firewall.fortinet.securityevent.vulnerabilityscan | firewall.fortinet.securityevent.vulnerabilityscan |
firewall.fortinet.securityevent.vulnerabilityscan.noncsv |
|
firewall.fortinet.securityevent.webfilter | firewall.fortinet.securityevent.webfilter |
firewall.fortinet.securityevent.webfilter.noncsv |
|
| firewall.fortinet.systemevent |
firewall.fortinet.systemevent.endpoint | firewall.fortinet.systemevent.endpoint |
firewall.fortinet.systemevent.endpoint.noncsv |
|
firewall.fortinet.systemevent.system | firewall.fortinet.systemevent.system |
firewall.fortinet.systemevent.system.noncsv |
|
firewall.fortinet.systemevent.update | firewall.fortinet.systemevent.update |
firewall.fortinet.systemevent.update.noncsv |
|
| firewall.fortinet.traffic |
firewall.fortinet.traffic.allowed | firewall.fortinet.traffic |
firewall.fortinet.traffic.allowed.noncsv |
|
firewall.fortinet.traffic.forward | firewall.fortinet.traffic |
firewall.fortinet.traffic.forward.noncsv |
|
firewall.fortinet.traffic.local | firewall.fortinet.traffic.local |
firewall.fortinet.traffic.local.noncsv |
|
firewall.fortinet.traffic.slb_http | firewall.fortinet.traffic.slb_http |
firewall.fortinet.traffic.slb_http.noncsv |
|
| firewall.fortinet.utm |
firewall.fortinet.utm.anomaly | firewall.fortinet.utm.anomaly |
firewall.fortinet.utm.anomaly.noncsv |
|
firewall.fortinet.utm.app-ctrl | firewall.fortinet.utm.appCtrl |
firewall.fortinet.utm.app-ctrl.noncsv |
|
firewall.fortinet.utm.dns | firewall.fortinet.utm.dns |
firewall.fortinet.utm.dns.noncsv |
|
firewall.fortinet.utm.emailfilter | firewall.fortinet.utm.emailfilter |
firewall.fortinet.utm.emailfilter.noncsv |
|
firewall.fortinet.utm.ips | firewall.fortinet.utm.ips |
firewall.fortinet.utm.ips.noncsv |
|
firewall.fortinet.utm.ssh | firewall.fortinet.utm.ssh |
firewall.fortinet.utm.ssh.noncsv |
|
firewall.fortinet.utm.ssl | firewall.fortinet.utm.ssl |
firewall.fortinet.utm.ssl.noncsv |
|
firewall.fortinet.utm.virus | firewall.fortinet.utm.virus |
firewall.fortinet.utm.virus.noncsv |
|
firewall.fortinet.utm.voip | firewall.fortinet.utm.voip |
firewall.fortinet.utm.voip.noncsv |
|
firewall.fortinet.utm.waf | firewall.fortinet.utm.waf |
firewall.fortinet.utm.waf.noncsv |
|
firewall.fortinet.utm.webfilter | firewall.fortinet.utm.webfilter |
firewall.fortinet.utm.webfilter.noncsv |
|
| firewall.fortinet.voip |
firewall.fortinet.voip.voip | firewall.fortinet.voip.voip |
firewall.fortinet.voip.voip.noncsv |
|