Fortinet/Fortigate Firewall

About

FortiGate NGFWs delivers industry leading enterprise security for any edge at any scale with full visibility, and threat protection. Organizations can weave security deep into the Hybrid IT architecture, and build Security-Driven Networks.

Product Details

Vendor URL: Fortinet Next-Generation Firewall (NGFW)

Product Type: Hardware

Product Tier: Tier II

Integration Method: Syslog

Integration URL: Fortinet - Cyderes Documentation

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: SYSLOG

Expected Normalization Rate: 90-100%

Data Label: FORTINET_SANDBOX

UDM Fields (list of all UDM fields leveraged in the Parser):

Parser will be able to handle log field names structured as follows: ad., FTNTFGT, and just .

Log File Field	UDM Field
act	security_result.action_details
action	security_result.summary
action1	security_result.description
ad.agent	network.http.user_agent
ad.logdesc	security_result.description
application	principal.application
attack	security_result.summary
attack	security_result.threat_name
Blocked URL	security_result.summary
c6a2	target.ip
c6a3	principal.ip
catdesc	security_result.description
category_details	security_result.category_details
cef_idnumber	metadata.product_log_id
cef_product	metadata.product_name
cef_version	metadata.product_version
crlevel	security_result.severity
crscore	security_result.severity_details
devname	target.hostname
df_msg	security_result.detection_fields
dhost	target.hostname
dhost	target.ip
dhost	target.hostname
dst	target.ip
dst	target.hostname
dst_country	target.asset.location.country_or_region
dst_domain	target.administrative_domain
dst_lat	target.asset.location.region_latitude
dst_long	target.asset.location.region_longitude
dst_port	target.port
dstcountry	target.location.country_or_region
dstip	target.ip
dstmac	target.mac
dstport	target.port
duser	principal.user.userid
duser	target.user.userid
filename	target.file.full_path
fortihost	target.hostname
group	principal.user.groupid
hostname	principal.hostname
hostname	target.hostname
ID:devid	target.asset_id
ip	network.dhcp.yiaddr
ip	principal.ip
json_log1.FTNTFGTappcat	security_result.summary
json_log1.FTNTFGTlevel	security_result.severity_details
json_log1.FTNTFGTpolicyid	security_result.rule_id
json_log1.FTNTFGTpolicyname	security_result.rule_name
json_log1.FTNTFGTpolicytype	security_result.rule_name
level	security_result.severity_details
locip	principal.ip
logdesc	metadata.description
mac	principal.mac
msg	metadata.description
msg	security_result.description
msg	metadata.description
msg - URL Category: catdesc	security_result.description
name	principal.hostname
observer	observer.ip
observer	observer.hostname
observer_domain	observer.administrative_domain
os_version	principal.platform_version
osversion	principal.platform_version
policyid	security_result.rule_name
product	metadata.product_name
product_event	metadata.product_event_type
questions	network.dns.questions
rcvdbyte	network.received_bytes
reason	security_result.description
receive_bytes	network.received_bytes
ref	metadata.url_back_to_product
remip	principal.ip
request	target.url
sent_bytes	network.sent_bytes
sentbyte	network.sent_bytes
server	target.hostname
service	target.application
shost	principal.ip
shost	principal.hostname
src	principal.ip
src	principal.hostname
src	principal.ip
src_country	principal.asset.location.country_or_region
src_domain	principal.administrative_domain
src_port	principal.port
srccountry	principal.location.country_or_region
srcip	principal.ip
srcmac	principal.mac
srcname	principal.hostname
srcname	principal.process.command_line
srcport	principal.port
subtype	security_result.summary
summary	security_result.summary
suser	principal.user.userid
tempcfgattr	security_result.detection_fields
tempcfgpath	security_result.detection_fields
tempcfgtid	security_result.detection_fields
tempvd	security_result.detection_fields
tunnelip	target.ip
type - subtype	metadata.product_event_type
type - subtype	metadata.description
type - subtype - connection_type	metadata.product_event_type
unauthuser	principal.user.user_display_name
url	target.url
user	principal.user.userid
user	target.user.userid
usingpolicy	security_result.rule_name
UTMaction2	security_result2.description
virus	security_result.summary
virus	security_result.threat_name
virusid	security_result.threat_id
x_additional_dstint	additional.fields
x_additional_srcintf	additional.fields
x_additional_unauthuser	additional.fields

Product Event Types

Severity	alerting enabled
Critical	TRUE

Log Sample

<189>logver=602071190 timestamp=1632568667 tz="UTC-7:00" devname="hostname1" devid="devid" vd="PCI-INT" date=2021-09-25 time=04:17:47 logid="0000000013" type="traffic" subtype="forward" level="notice" eventtime=1632568668050007900 tz="-0700" srcip=10.200.166.96 srcport=39730 srcintf="VLAN166" srcintfrole="undefined" dstip=10.200.177.109 dstport=88 dstintf="VLAN82" dstintfrole="undefined" sessionid=1660135052 proto=6 action="server-rst" policyid=25 policytype="policy" poluuid="policyuid" service="TCP88" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=6 sentbyte=561 rcvdbyte=1934 sentpkt=7 rcvdpkt=7 appcat="unscanned"

Sample Parsing

metadata.event_timestamp = "2021-09-25T11:17:48Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Fortinet"
metadata.product_name = "Fortigate"
metadata.product_event_type = "traffic - "
metadata.description = "traffic - "
principal.ip = "10.200.166.96"
principal.port = 39730
principal.asset.ip = "10.200.166.96"
target.asset_id = "ID:devid"
target.ip = "10.200.177.109"
target.port = 88
target.application = "TCP88"
target.asset.asset_id = "ID:devid"
intermediary.hostname = "hostname1"
security_result.rule_name = "25"
security_result.severity = "MEDIUM"
security_result.severity_details = "level: notice"
network.sent_bytes = "561"
network.received_bytes = "1934"
network.ip_protocol = "TCP"

Parser Alerting

Alerting criteria is listed in the Product Event Types table above. There is an override in this parser which will set all parser-based alerts to LOW severity.

Rules

Coming Soon