Fortinet/Fortigate Firewall¶
About¶
FortiGate NGFWs delivers industry leading enterprise security for any edge at any scale with full visibility, and threat protection. Organizations can weave security deep into the Hybrid IT architecture, and build Security-Driven Networks.
Product Details¶
Vendor URL: Fortinet Next-Generation Firewall (NGFW)
Product Type: Hardware
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Fortinet - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: SYSLOG
Expected Normalization Rate: 90-100%
Data Label: FORTINET_SANDBOX
UDM Fields (list of all UDM fields leveraged in the Parser):
Parser will be able to handle log field names structured as follows: ad.
Log File Field | UDM Field |
---|---|
act | security_result.action_details |
action | security_result.summary |
action1 | security_result.description |
ad.agent | network.http.user_agent |
ad.logdesc | security_result.description |
application | principal.application |
attack | security_result.summary |
attack | security_result.threat_name |
Blocked URL | security_result.summary |
c6a2 | target.ip |
c6a3 | principal.ip |
catdesc | security_result.description |
category_details | security_result.category_details |
cef_idnumber | metadata.product_log_id |
cef_product | metadata.product_name |
cef_version | metadata.product_version |
crlevel | security_result.severity |
crscore | security_result.severity_details |
devname | target.hostname |
df_msg | security_result.detection_fields |
dhost | target.hostname |
dhost | target.ip |
dhost | target.hostname |
dst | target.ip |
dst | target.hostname |
dst_country | target.asset.location.country_or_region |
dst_domain | target.administrative_domain |
dst_lat | target.asset.location.region_latitude |
dst_long | target.asset.location.region_longitude |
dst_port | target.port |
dstcountry | target.location.country_or_region |
dstip | target.ip |
dstmac | target.mac |
dstport | target.port |
duser | principal.user.userid |
duser | target.user.userid |
filename | target.file.full_path |
fortihost | target.hostname |
group | principal.user.groupid |
hostname | principal.hostname |
hostname | target.hostname |
ID:devid | target.asset_id |
ip | network.dhcp.yiaddr |
ip | principal.ip |
json_log1.FTNTFGTappcat | security_result.summary |
json_log1.FTNTFGTlevel | security_result.severity_details |
json_log1.FTNTFGTpolicyid | security_result.rule_id |
json_log1.FTNTFGTpolicyname | security_result.rule_name |
json_log1.FTNTFGTpolicytype | security_result.rule_name |
level | security_result.severity_details |
locip | principal.ip |
logdesc | metadata.description |
mac | principal.mac |
msg | metadata.description |
msg | security_result.description |
msg | metadata.description |
msg - URL Category: catdesc | security_result.description |
name | principal.hostname |
observer | observer.ip |
observer | observer.hostname |
observer_domain | observer.administrative_domain |
os_version | principal.platform_version |
osversion | principal.platform_version |
policyid | security_result.rule_name |
product | metadata.product_name |
product_event | metadata.product_event_type |
questions | network.dns.questions |
rcvdbyte | network.received_bytes |
reason | security_result.description |
receive_bytes | network.received_bytes |
ref | metadata.url_back_to_product |
remip | principal.ip |
request | target.url |
sent_bytes | network.sent_bytes |
sentbyte | network.sent_bytes |
server | target.hostname |
service | target.application |
shost | principal.ip |
shost | principal.hostname |
src | principal.ip |
src | principal.hostname |
src | principal.ip |
src_country | principal.asset.location.country_or_region |
src_domain | principal.administrative_domain |
src_port | principal.port |
srccountry | principal.location.country_or_region |
srcip | principal.ip |
srcmac | principal.mac |
srcname | principal.hostname |
srcname | principal.process.command_line |
srcport | principal.port |
subtype | security_result.summary |
summary | security_result.summary |
suser | principal.user.userid |
tempcfgattr | security_result.detection_fields |
tempcfgpath | security_result.detection_fields |
tempcfgtid | security_result.detection_fields |
tempvd | security_result.detection_fields |
tunnelip | target.ip |
type - subtype | metadata.product_event_type |
type - subtype | metadata.description |
type - subtype - connection_type | metadata.product_event_type |
unauthuser | principal.user.user_display_name |
url | target.url |
user | principal.user.userid |
user | target.user.userid |
usingpolicy | security_result.rule_name |
UTMaction2 | security_result2.description |
virus | security_result.summary |
virus | security_result.threat_name |
virusid | security_result.threat_id |
x_additional_dstint | additional.fields |
x_additional_srcintf | additional.fields |
x_additional_unauthuser | additional.fields |
Product Event Types¶
Severity | alerting enabled |
---|---|
Critical | TRUE |
Log Sample¶
<189>logver=602071190 timestamp=1632568667 tz="UTC-7:00" devname="hostname1" devid="devid" vd="PCI-INT" date=2021-09-25 time=04:17:47 logid="0000000013" type="traffic" subtype="forward" level="notice" eventtime=1632568668050007900 tz="-0700" srcip=10.200.166.96 srcport=39730 srcintf="VLAN166" srcintfrole="undefined" dstip=10.200.177.109 dstport=88 dstintf="VLAN82" dstintfrole="undefined" sessionid=1660135052 proto=6 action="server-rst" policyid=25 policytype="policy" poluuid="policyuid" service="TCP88" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=6 sentbyte=561 rcvdbyte=1934 sentpkt=7 rcvdpkt=7 appcat="unscanned"
Sample Parsing¶
metadata.event_timestamp = "2021-09-25T11:17:48Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Fortinet"
metadata.product_name = "Fortigate"
metadata.product_event_type = "traffic - "
metadata.description = "traffic - "
principal.ip = "10.200.166.96"
principal.port = 39730
principal.asset.ip = "10.200.166.96"
target.asset_id = "ID:devid"
target.ip = "10.200.177.109"
target.port = 88
target.application = "TCP88"
target.asset.asset_id = "ID:devid"
intermediary.hostname = "hostname1"
security_result.rule_name = "25"
security_result.severity = "MEDIUM"
security_result.severity_details = "level: notice"
network.sent_bytes = "561"
network.received_bytes = "1934"
network.ip_protocol = "TCP"
Parser Alerting¶
Alerting criteria is listed in the Product Event Types table above. There is an override in this parser which will set all parser-based alerts to LOW severity.