Skip to content

Fortinet/Fortigate Firewall

Fortinet_logo

About

FortiGate NGFWs delivers industry leading enterprise security for any edge at any scale with full visibility, and threat protection. Organizations can weave security deep into the Hybrid IT architecture, and build Security-Driven Networks.

Product Details

Vendor URL: Fortinet Next-Generation Firewall (NGFW)

Product Type: Hardware

Product Tier: Tier II

Integration Method: Syslog

Integration URL: Fortinet - Cyderes Documentation

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: SYSLOG

Expected Normalization Rate: 90-100%

Data Label: FORTINET_SANDBOX

UDM Fields (list of all UDM fields leveraged in the Parser):

Parser will be able to handle log field names structured as follows: ad., FTNTFGT, and just .

Log File Field UDM Field
Statically Defined metadata.vendor_name
logdesc, msg, type, subtype metadata.description
Statically Defined metadata.event_type
Statically Defined extensions.auth.type
Statically Defined metadata.vendor_name
Statically Defined extensions.auth.mechanism
dstmac target.mac
service target.application
url target.url
srcip, src, c6a3 principal.ip
user principal.user.userid
dstip, c6a2, tunnelip target.ip
localip src.ip
srcmac principal.mac
ID:{devid} target.asset_id
user, duser target.user.userid
direction network.direction
hostname, server, devname target.hostname
dst_port target.port
filename target.file.full_path
name principal.hostname
locip, remip, srcip principal.ip
group principal.user.groupid
src_port principal.port
proto network.ip_protocol
srcname principal.process.command_line
Statically Defined network.application_protocol
osname principal.platform
os_version principal.platform_version
Statically Defined metadata.product_name
type - subtype metadata.product_event_type
crlevel, level security_result.severity
action security_result.action
usingpolicy, policyid security_result.rule_name
reason security_result.description
virusid security_result.threat_id
virus, attack security_result.threat_name
crscore security_result.severity_details
subtype security_result.summary
rcvdbyte network.received_bytes
sentbyte network.sent_bytes
devname intermediary.hostname
request target.url
agent network.http.user_agent

Product Event Types

Severity alerting enabled
Critical TRUE

Log Sample

<189>logver=602071190 timestamp=1632568667 tz="UTC-7:00" devname="hostname1" devid="devid" vd="PCI-INT" date=2021-09-25 time=04:17:47 logid="0000000013" type="traffic" subtype="forward" level="notice" eventtime=1632568668050007900 tz="-0700" srcip=10.200.166.96 srcport=39730 srcintf="VLAN166" srcintfrole="undefined" dstip=10.200.177.109 dstport=88 dstintf="VLAN82" dstintfrole="undefined" sessionid=1660135052 proto=6 action="server-rst" policyid=25 policytype="policy" poluuid="policyuid" service="TCP88" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=6 sentbyte=561 rcvdbyte=1934 sentpkt=7 rcvdpkt=7 appcat="unscanned"

Sample Parsing

metadata.event_timestamp = "2021-09-25T11:17:48Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Fortinet"
metadata.product_name = "Fortigate"
metadata.product_event_type = "traffic - "
metadata.description = "traffic - "
principal.ip = "10.200.166.96"
principal.port = 39730
principal.asset.ip = "10.200.166.96"
target.asset_id = "ID:devid"
target.ip = "10.200.177.109"
target.port = 88
target.application = "TCP88"
target.asset.asset_id = "ID:devid"
intermediary.hostname = "hostname1"
security_result.rule_name = "25"
security_result.severity = "MEDIUM"
security_result.severity_details = "level: notice"
network.sent_bytes = "561"
network.received_bytes = "1934"
network.ip_protocol = "TCP"

Parser Alerting

Alerting criteria is listed in the Product Event Types table above. There is an override in this parser which will set all parser-based alerts to LOW severity.

Rules

Coming Soon