P-Fortinet Fortigate

Fortinet Fortigate series is Fortinet’s Security product delivers next generation firewall capabilities and Protects against cyber threats with security processor powered high performance, security efficacy and deep visibility. Fortinet develops and markets cybersecurity software and appliances and services, such as firewalls, anti-virus, intrusion prevention and endpoint security.

Main Use Cases

Below are the main use cases for this package :

Covered under L1- Perimeter Monitoring - Indicators and Warnings package:

  • High Volume of Deny Events to Same Destination
  • Multiple Deny Events from Same Source
  • Multiple Deny Events to Same Destination
  • Multiple Denies and an Allow from Same Source

Covered under L1- Network Monitoring - Indicators and Warnings package:

  • Multiple IDS Events to Same Destination
  • Multiple IDS Events from Same Source
  • Multiple Sources Generating the Same IDS Event
  • Multiple Unique IDS Events to Same Destination
  • Unique IDS Events from Same Source
  • Unique IDS Events to Same Destination
  • Very High Severity IDS Event

Covered under L1 - Data Security DLP - Indicators and Warnings

  • Data Loss Prevention

Covered under product package:

  • FortiCloud server connection Failed

Supported Log Sources

Here are the log source types supported by this package as delivered:

Vendor Product Version(s) Comments
Fortinet Fortigate    

Download Instructions

Will be available in MarketPlace soon.

Installation

Follow the standard process to install this package

Content Configuration

Below filters needs to be configured for L1-Perimeter Monitoring - Indicators and Warnings rules to trigger
L1 Perimeter Monitoring Filter URI in P-Fortinet Fortigate Description
/All Filters/ArcSight Activate/Solutions/Perimeter Monitoring/Indicators and Warnings/All Firewall Deny Traffic
  • /All Filters/ArcSight Activate/Core/Product Filters/Fortinet Fortigate/Firewall Specific Events/Fortinet Fortigate Firewall Deny Events
This filter detects all the Firewall Deny events
/All Filters/ArcSight Activate/Solutions/Perimeter Monitoring/Indicators and Warnings/All Firewall Accept Traffic
  • /All Filters/ArcSight Activate/Core/Product Filters/Fortinet Fortigate/Firewall Specific Events/Fortinet Fortigate Firewall Accept Events
This filter detects all the Firewall Allow events

Below filters needs to be configured for L1-Data Security - Indicators and Warnings rules to trigger
L1 Data Security Filter URI in P-Fortinet Fortigate Description
/All Filters/ArcSight Activate/Solutions/Data Security/Indicators and Warnings/Data Loss Prevention/All Data Loss Prevention Events
  • /All Filters/ArcSight Activate/Core/Product Filters/Fortinet Fortigate/Product Specific/Intrusion Sensor Specific Events/Data Loss Prevention Events
This filter tracks the Data Loss Prevention Events.

Below filters needs to be configured for L1-Network Monitoring - Indicators and Warnings rules to trigger
L1 Network Monitoring Filter URI in P-Fortinet Fortigate Description
/All Filters/ArcSight Activate/Solutions/Network Monitoring/Indicators and Warnings/All IDS Events
  • /All Filters/ArcSight Activate/Core/Product Filters/Fortinet Fortigate/Fortinet Fortigate Type UTM
Detects all the IPS Events

Uninstallation

Follow the standard process to uninstall this package

Resources

The link below contains a table of all resources included in this package:

Active Channels
Resource Name Path Description

All Fortinet Fortigate Events

All Fortinet Fortigate System Events

All Fortinet Fortigate Traffic Events

All Fortinet Fortigate UTM Events

/All Active Channels/ArcSight Activate/Core/Product Channels/Fortinet Fortigate  

Field Sets
Resource Name Path Description
Fortinet Fortigate Events /All Field Sets/ArcSight Activate/Core/Product Field Sets/Fortinet Fortigate This Fieldset provides necessary Fortinet Fortigate fields

Filters
Resource Name Path Description

All Fortinet Fortigate Events

Fortinet Fortigate System Event

Fortinet Fortigate Traffic Events

Fortinet Fortigate UTM Events

/All Filters/ArcSight Activate/Core/Product Filters/Fortinet Fortigate  

Data Loss Prevention Events

Attack Dectection by Signature

/All Filters/ArcSight Activate/Core/Product Filters/Fortinet Fortigate/Product Specific/Intrusion Sensor Specific Events  

Fortinet Fortigate Firewall Accept Events

Fortinet Fortigate Firewall Deny Events

/All Filters/ArcSight Activate/Core/Product Filters/Fortinet Fortigate/Product Specific/Firewall Specific Events  
FortiCloud server connection Failed /All Filters/ArcSight Activate/Core/Product Filters/Fortinet Fortigate/System Errors  

Rules
Resource Name Path Description
FortiCloud Server Connection Failed /All Rules/ArcSight Activate/Solutions/Product Rules/Fortinet Fortigate/Product Specific  
Rules: complet description

Below are the rules with complete description which are written specifically for Fortinet Fortigate
Name Aggregation Fields Agent Severity Behaviour Custom Format Object Outcome Significance Technique Event Annotation Stage
FortiCloud Server Connection Failed
  • Device Event Category
  • Destination Address
  • Destination Zone Resource
  • srcHostName
  • dstHostName
  • dvcHostName
  • Device Address
  • Device Address
  • Device Zone
  • Source Address
  • Source Zone
  • Customer Resource
Medium /Access/Stop /Attack Life Cycle/Objectives/Availability   /Failure /Informational/Error   System Monitored
Graph View:
Rule: FortiCloud Server Connection Failed

Rule_Connection_Failed.PNG
Filter: All Fortinet Fortigate Firewall Deny Events:
firewall_deny.png

Filter: Fortinet Fortigate Firewall Accept Events

Firewall_accept.png

Test Plan

PFortinetFortigateTestPlan contains test plan for this package.

Special Instructions for Editors

If the above link is not yet created, use the button here to create this page using the PackagesResourcesTemplate

Create New Resource Table

-- GeorgeBoitano - 26 Jan 2016
Topic attachments
I Attachment Action Size Date Who Comment
Firewall_accept.pngpng Firewall_accept.png manage 39.9 K 01 May 2019 - 22:33 YunPeng  
Fortinet_Fortigate_5.6.2_and_6.0.2.eventsevents Fortinet_Fortigate_5.6.2_and_6.0.2.events manage 1428.0 K 05 Sep 2019 - 23:51 YunPeng Replay events
Rule.pngpng Rule.png manage 11.4 K 01 May 2019 - 22:17 YunPeng  
Rule_Connection_Failed.PNGPNG Rule_Connection_Failed.PNG manage 11.0 K 30 Sep 2019 - 21:40 YunPeng  
firewall_deny.pngpng firewall_deny.png manage 22.8 K 01 May 2019 - 22:30 YunPeng  
Topic revision: r11 - 04 Oct 2019, YunPeng


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback