Skip to content

Fortinet/Fortigate Firewall

Fortinet_logo

About

FortiGate NGFWs delivers industry leading enterprise security for any edge at any scale with full visibility, and threat protection. Organizations can weave security deep into the Hybrid IT architecture, and build Security-Driven Networks.

Product Details

Vendor URL: Fortinet Next-Generation Firewall (NGFW)

Product Type: Hardware

Product Tier: Tier II

Integration Method: Syslog

Integration URL: Fortinet - Cyderes Documentation

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: SYSLOG

Expected Normalization Rate: 90-100%

Data Label: FORTINET_SANDBOX

UDM Fields (list of all UDM fields leveraged in the Parser):

Parser will be able to handle log field names structured as follows: ad., FTNTFGT, and just .

Log File Field UDM Field
act security_result.action_details
action security_result.summary
action1 security_result.description
ad.agent network.http.user_agent
ad.logdesc security_result.description
application principal.application
attack security_result.summary
attack security_result.threat_name
Blocked URL security_result.summary
c6a2 target.ip
c6a3 principal.ip
catdesc security_result.description
category_details security_result.category_details
cef_idnumber metadata.product_log_id
cef_product metadata.product_name
cef_version metadata.product_version
crlevel security_result.severity
crscore security_result.severity_details
devname target.hostname
df_msg security_result.detection_fields
dhost target.hostname
dhost target.ip
dhost target.hostname
dst target.ip
dst target.hostname
dst_country target.asset.location.country_or_region
dst_domain target.administrative_domain
dst_lat target.asset.location.region_latitude
dst_long target.asset.location.region_longitude
dst_port target.port
dstcountry target.location.country_or_region
dstip target.ip
dstmac target.mac
dstport target.port
duser principal.user.userid
duser target.user.userid
filename target.file.full_path
fortihost target.hostname
group principal.user.groupid
hostname principal.hostname
hostname target.hostname
ID:devid target.asset_id
ip network.dhcp.yiaddr
ip principal.ip
json_log1.FTNTFGTappcat security_result.summary
json_log1.FTNTFGTlevel security_result.severity_details
json_log1.FTNTFGTpolicyid security_result.rule_id
json_log1.FTNTFGTpolicyname security_result.rule_name
json_log1.FTNTFGTpolicytype security_result.rule_name
level security_result.severity_details
locip principal.ip
logdesc metadata.description
mac principal.mac
msg metadata.description
msg security_result.description
msg metadata.description
msg - URL Category: catdesc security_result.description
name principal.hostname
observer observer.ip
observer observer.hostname
observer_domain observer.administrative_domain
os_version principal.platform_version
osversion principal.platform_version
policyid security_result.rule_name
product metadata.product_name
product_event metadata.product_event_type
questions network.dns.questions
rcvdbyte network.received_bytes
reason security_result.description
receive_bytes network.received_bytes
ref metadata.url_back_to_product
remip principal.ip
request target.url
sent_bytes network.sent_bytes
sentbyte network.sent_bytes
server target.hostname
service target.application
shost principal.ip
shost principal.hostname
src principal.ip
src principal.hostname
src principal.ip
src_country principal.asset.location.country_or_region
src_domain principal.administrative_domain
src_port principal.port
srccountry principal.location.country_or_region
srcip principal.ip
srcmac principal.mac
srcname principal.hostname
srcname principal.process.command_line
srcport principal.port
subtype security_result.summary
summary security_result.summary
suser principal.user.userid
tempcfgattr security_result.detection_fields
tempcfgpath security_result.detection_fields
tempcfgtid security_result.detection_fields
tempvd security_result.detection_fields
tunnelip target.ip
type - subtype metadata.product_event_type
type - subtype metadata.description
type - subtype - connection_type metadata.product_event_type
unauthuser principal.user.user_display_name
url target.url
user principal.user.userid
user target.user.userid
usingpolicy security_result.rule_name
UTMaction2 security_result2.description
virus security_result.summary
virus security_result.threat_name
virusid security_result.threat_id
x_additional_dstint additional.fields
x_additional_srcintf additional.fields
x_additional_unauthuser additional.fields

Product Event Types

Severity alerting enabled
Critical TRUE

Log Sample

<189>logver=602071190 timestamp=1632568667 tz="UTC-7:00" devname="hostname1" devid="devid" vd="PCI-INT" date=2021-09-25 time=04:17:47 logid="0000000013" type="traffic" subtype="forward" level="notice" eventtime=1632568668050007900 tz="-0700" srcip=10.200.166.96 srcport=39730 srcintf="VLAN166" srcintfrole="undefined" dstip=10.200.177.109 dstport=88 dstintf="VLAN82" dstintfrole="undefined" sessionid=1660135052 proto=6 action="server-rst" policyid=25 policytype="policy" poluuid="policyuid" service="TCP88" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=6 sentbyte=561 rcvdbyte=1934 sentpkt=7 rcvdpkt=7 appcat="unscanned"

Sample Parsing

metadata.event_timestamp = "2021-09-25T11:17:48Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Fortinet"
metadata.product_name = "Fortigate"
metadata.product_event_type = "traffic - "
metadata.description = "traffic - "
principal.ip = "10.200.166.96"
principal.port = 39730
principal.asset.ip = "10.200.166.96"
target.asset_id = "ID:devid"
target.ip = "10.200.177.109"
target.port = 88
target.application = "TCP88"
target.asset.asset_id = "ID:devid"
intermediary.hostname = "hostname1"
security_result.rule_name = "25"
security_result.severity = "MEDIUM"
security_result.severity_details = "level: notice"
network.sent_bytes = "561"
network.received_bytes = "1934"
network.ip_protocol = "TCP"

Parser Alerting

Alerting criteria is listed in the Product Event Types table above. There is an override in this parser which will set all parser-based alerts to LOW severity.