Quantcast
Channel: Fortinet GURU
Viewing all 2380 articles
Browse latest View live

FortiSIEM VMware Monitoring Events

$
0
0
VMware Monitoring Events

AccelOps generates the following events VMware related system monitoring events

VM level events

VM State Monitoring

VM Uptime Monitoring

VM CPU Monitoring

VM Per CPU Monitoring

VM Memory Monitoring

VM Datastore Utilization Monitoring

VM Disk I/O Monitoring

VM Datastore I/O Monitoring

VM Network I/O Monitoring

Disk Growth Trend – Daily

Disk Growth Trend – Weekly

Disk Growth Trend – Monthly

ESX level events

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_PING_STAT
Event

Severity

eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event

Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event

Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting

IP

reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as Host name attribute)
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event

Log

rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
VM Name vmName
Host name hostName string Host name (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Host IP

Address

hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose CPU utilization is being reported

ESX State Monitoring

ESX CPU Monitoring

ESX Memory Monitoring

ESX Datastore Utilization Monitoring

ESX Disk I/O Monitoring

ESX Datastore I/O Monitoring

Cluster and resource pool events

VM Cluster CPU Utilization

VM Cluster Memory Utilization

VM Cluster Datastore I/O Utilization

VM Resource pool CPU Utilization

VM Resource pool Memory Utilization

VM State Monitoring

Event Type: PH_DEV_MON_VM_STATE

Description: Event containing VM State Source: All Key Attributes:

Physical

Machine

Name

phyMachName string
Physical machine IP phyMachIpAddr IP
vmPowerState string
vmPowerStateCode uint32
vmConnectionState string
vmConnectionStateCode uint32
status string
Poll Interval pollIntv uint32 Poll interval in seconds

 

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_PING_STAT
Event

Severity

eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event

Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event

Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as

Host name attribute)

Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event

Log

rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
vmName
Host name hostName string Host name (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Host IP

Address

hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose CPU utilization is being reported
phyMachName

 

VM Uptime Monitoring

Event Type: PH_DEV_MON_VM_UPTIME

Description: Event containing VM Uptime Source: All Key Attributes:

phyMachIpAddr
sysUpTime
sysDownTime
Poll Interval pollIntv uint32 Polling interval in seconds

FortiSIEM VM CPU Monitoring Event

$
0
0

VM CPU Monitoring Event

Event Type: PH_DEV_MON_VM_CPU_UTIL

Description: Event containing VM CPU metrics Source: All Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_PING_STAT
Event

Severity

eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event

Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event

Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as

Host name attribute)

Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event

Log

rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
vmName
Host name hostName string Host name (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Host IP

Address

hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose CPU utilization is being reported
phyMachName
phyMachIpAddr
Avg Round

Trip Time

processors uint32 Average Round trip time from the ping tests done during this interval
Max Round

Trip Time

vCpus uint32 Max Round trip time from the ping tests done during this interval
Min Round

Trip Time

cpuUtil uint32 Min Round trip time from the ping tests done during this interval
cpuRunPct
cpuMlmtedPct

 

FortiSIEM VM Per CPU Monitoring Event

$
0
0

VM Per CPU Monitoring Event

cpuReadyPct
phyCpuUtil
cpuSysPct
Packet Loss

Pct

pktLossPct double Packet loss percentage from the ping tests done during this interval
Poll Interval pollIntv uint32 Polling interval in seconds

Event Type: PH_DEV_MON_VM_PER_CPU_UTIL

Description: Event containing VM per CPU metrics Source: All Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_PING_STAT
Event

Severity

eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event

Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event

Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as

Host name attribute)

Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event

Log

rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
vmName
Host name hostName string Host name (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Host IP

Address

hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose CPU utilization is being reported
phyMachName
phyMachIpAddr
cpuName uint32 Average Round trip time from the ping tests done during this interval
cpuSysPct uint32
cpuUtil uint32

FortiSIEM VM Memory Monitoring

$
0
0

VM Memory Monitoring

cpuReadyPct double
phyCpuUtil double
cpuRunPct double
Poll Interval pollIntv uint32 Polling interval in seconds

Event Type: PH_DEV_MON_VM_MEM_UTIL

Description: Event containing VM Memory utilization metrics Source: All Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_PING_STAT
Event

Severity

eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event

Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event

Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting

IP

reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as Host name attribute)
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event

Log

rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
vmName
Host name hostName string Host name (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Host IP

Address

hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose CPU utilization is being reported
phyMachName
phyMachIpAddr
phyMemUtil
actvMemPct
swapReadKBytesPerSec
swapWriteKBytesPerSec
Poll Interval pollIntv uint32 Polling interval in seconds

FortiSIEM VM Disk I/O Monitoring

$
0
0

VM Disk I/O Monitoring

Event Type: PH_DEV_MON_VM_DISK_IO

Description: Event containing VM Disk I/O performance metrics Source: All

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_PING_STAT
Event

Severity

eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event

Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to

Low, 5-8 are mapped to Medium and 9-10 are mapped to High

Event

Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting

IP

reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as Host name attribute)
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event

Log

rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
vmName
Host name hostName string Host name (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Host IP

Address

hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose CPU utilization is being reported
phyMachName
phyMachIpAddr
diskName
datastore
diskReadKBytesPerSec
diskWriteKBytesPerSec
diskReadReqPerSec
diskWriteReqPerSec
Poll Interval pollIntv uint32 Polling interval in seconds

Sample event:

 

FortiSIEM VM Datastore Utilization Monitoring

$
0
0

VM Datastore Utilization Monitoring

Event Type: PH_DEV_MON_VM_DISK_UTIL

Description: Event containing VM Datastore utilization metrics Source: All

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_PING_STAT
Event

Severity

eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event

Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event

Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as

Host name attribute)

Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event

Log

rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
vmName
Host name hostName string Host name (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Host IP

Address

hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose CPU utilization is being reported
phyMachName
phyMachIpAddr
datastore
datastoreType
diskUtil
totalDiskMB
freeDiskMB
usedDiskMB
Poll Interval pollIntv uint32 Polling interval in seconds

Sample event:

FortiSIEM VM Datastore I/O Monitoring

$
0
0

VM Datastore I/O Monitoring

Event Type: PH_DEV_MON_VM_STATE

Description: Event containing VM CPU metrics Source: All

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_PING_STAT
Event

Severity

eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event

Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event

Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting

IP

reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as Host name attribute)
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event

Log

rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
vmName
Host name hostName string Host name (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Host IP

Address

hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose CPU utilization is being reported
phyMachName string
phyMachIpAddr IP
datastore string
diskReadReqPerSec double
diskWriteReqPerSec double
diskReadKBytesPerSec double
diskWriteKBytesPerSec double
Poll Interval pollIntv uint32 Polling interval in seconds

Sample event:

FortiSIEM VM Network IO Monitoring

$
0
0

VM Network IO Monitoring

Event Type: PH_DEV_MON_VM_STATE

Description: Event containing VM CPU metrics Source: All

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_PING_STAT
Event

Severity

eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event

Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event

Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as

Host name attribute)

Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event

Log

rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
vmName
Host name hostName string Host name (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Host IP

Address

hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose CPU utilization is being reported
phyMachName string
phyMachIpAddr IP
vSwitch string
intfName string
sentPkts uint32 Sent Packets
recvPkts uint32 Received Packets
sentBytes uint32 Sent Bytes
recvBytes uint32 Received Bytes
Poll Interval pollIntv uint32 Polling interval in seconds

Sample event:

<134>Feb 08 18:22:16 10.1.2.11 java:

[PH_DEV_MON_VM_NET_INTF_UTIL]:[eventSeverity]=PHL_INFO,[phyMachName

]=HOST-10.1.2.51,

[phyMachIpAddr]=10.1.2.51, [pollIntv]=180, [vmName]=CO159,

[morId]=vm-194, [hostName]=CO159, [hostIpAddr]=10.1.2.159,

[vSwitch]=vSwitch0, [intfName]=Network adapter 1, [sentPkts]=454,

[recvPkts]=939, [sentBytes]=102400, [recvBytes]=307200

VM Cluster CPU Utilization

VM Cluster Memory Utilization

VM Cluster Datastore I/O Utilization

VM Resource pool CPU Utilization

 

VM Resource pool Memory Utilization

ESX State Monitoring

ESX Datastore Utilization Monitoring

ESX Disk I/O Monitoring

<134>Oct 02 12:00:42 192.168.1.3 java:

[PH_DEV_MON_ESX_DISK_IO]:[eventSeverity]=PHL_INFO,

[hostName]=ESX3i-QA-01.prospecthills.net, [hostIpAddr]=192.168.1.3,

[pollIntv]=180, [morId]=ha-host, [diskName]=mpx.vmhba32:C0:T0:L0,

[diskReadKBytesPerSec]=9.9, [diskWriteKBytesPerSec]=0.3,

[diskReadReqPerSec]=1.215, [diskWriteReqPerSec]=0.045,

[devDiskRdLatency]=0.1, [devDiskWrLatency]=0.4, [kernDiskRdLatency]=0.0,

[totDiskRdLatency]=0.1, [totDiskWrLatency]=0.4, [kernDiskWrLatency]=0.0

ESX Datastore I/O Monitoring


FortiSIEM Application Monitoring Events

$
0
0
Application Monitoring Events

Application Monitoring Events

AccelOps generates the following events related to application monitoring

Process Resource Utilization

Apache Performance Metrics

Microsoft ASP.NET Metrics

Exchange RPC Metrics

Exchange RPC Error Metrics

Exchange Mailbox Metrics

Exchange SMTP Metrics

Microsoft DNS Performance Metrics

Microsoft DHCP Performance Metrics

Microsoft Active Directory Performance Metrics

IP SLA VoIP Metrics

IP SLA HTTP metrics

IP SLA ICMP metrics

Generic IPSLA metrics

Tomcat Application Server Monitoring Metrics

Glassfish Application Server Monitoring Metrics

Weblogic Application Server Monitoring Metrics

Websphere Application Server Monitoring Metrics

JBOSS Application Server Monitoring Metrics

Process Resource Utilization

FortiSIEM Network Flow Monitoring Events

$
0
0
Network Flow Monitoring Events

Network Flow Events

These events are generated from Cisco Netflow and SFlow.

Event Type: IOS-NETFLOW-BI (BI standing for bidirecational: two unidirectional netflow messages are combined into one), SFLOW-BI

Description: Event containing netflow data Source: Cisco IOS (Netflow) Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to IOS-NETFLOW-BI, SFLOW-BI
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event Receive

Time

phRecvTime Date Time at which AccelOps generated this event (after receiving netflow)
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as Host name attribute)
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Source IP srcIpAddr IP Source IP address of the flow
Dest IP destIpAddr IP Destination IP address of the flow
IP Protocol ipProto uint16 IP protocol e.g. TCP/UDP/GRE/ICMP etc
Source TCP/UDP

Port

srcIpPort uint16 Source TCP/UDP port
Dest TCP/UDP

Port

destIpPort uint16 Destination TCP/UDP port
ICMP Type icmpType uint16 ICMP type
ICMP Code icmpCode uint16 ICMP code
IP Type of Service tos uchar IP Type of Service
Sent TCP flags srcDestTCPFlags uchar OR-ed TCP Flags from Source to Destination
Received TCP

flags

destSrcTCPFlags uchar OR-ed TCP Flags from Destination to Source
Source Intf SNMP

Index

srcSnmpIntfIndex uint16 Source SNMP interface index
Source Interface

Name

srcIntfName string Source Interface name
Dest Intf SNMP

Index

destSnmpIntfIndex uint16 Destination SNMP interface index
Destination

Interface Name

destIntfName string Destination Interface name
Source

Autonomous

System Number

srcASNum uint16 Source Autonomous number
Dest Autonomous

System Number

destASNum uint16 Destination Autonomous number
Sent Bytes sentBytes uint32 Sent Bytes in this flow
Sent Packets sentPkts uint32 Sent Packets in this flow
Received Bytes recvBytes uint32 Received Bytes in this flow
Received Packets recvPkts uint32 received Packets in this flow

FortiSIEM Security Information Management

$
0
0

Security Information Management

User Password Monitoring Events

AccelOps generates the following events related to user password monitoring during LDAP discoveries.

LDAP Password Never Expire Events

LDAP Password Not Required Events

LDAP Password Expiry Event

LDAP Password Stale Events

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_DISCOV_ADS_PASSWORD_NEVER_EXPIRES
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to

Low, 5-8 are mapped to Medium and 9-10 are mapped to High

Event Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date AccelOps Super IP
Relaying IP relayDevIpAddr Date AccelOps Super IP
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Active Directory Server Host Name
Host IP Address hostIpAddr IP Active Directory Server IP
User user string User logon name
User Full Name userFullName string user Full Display Name
User

Distinguishing

Name

userDN string User Distinguishing name
Password Age passwordAge uint64 Password age in days
Password Last

Set

passwordLastSet Date Time when password was last set

LDAP Password Not Required Events

Event Type: PH_DISCOV_ADS_PASSWORD_NOT_REQD

Description: Event contains users whose password is not required

Source: Windows Active Directory Discovery via LDAP Sample event

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_DISCOV_ADS_PASSWORD_NEVER_EXPIRES
Event Severity eventSeverity uint16 Set to 1.
Event Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to

Low, 5-8 are mapped to Medium and 9-10 are mapped to High

Event Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date AccelOps Super IP
Relaying IP relayDevIpAddr Date AccelOps Super IP
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Active Directory Server Host Name
Host IP Address hostIpAddr IP Active Directory Server IP
User user string User logon name
User Full Name userFullName string user Full Display Name
User

Distinguishing

Name

userDN string User Distinguishing name

LDAP Password Expiry Event

Event Type: PH_DISCOV_ADS_PASSWORD_TO_EXPIRE

Description: Event contains users and the times when their passwords were last set and when their passwords are about to expire Source: Windows Active Directory Discovery via LDAP

Sample event

<174>Feb 12 12:09:29 PH-QA-AUTOTEST phDiscover[22677]: [PH_DISCOV_ADS_PASSWORD_TO_EXPIRE]:[eventSeverity]=PHL_INFO,[procNa me]=phDiscover,[fileName]=dirUser.cpp,[lineNumber]=1750,[hostIpAddr ]=192.168.0.10,[user]=testuser,[userFullName]=Testuser,[userDN]=CN=

Testuser,CN=Users,DC=acme,DC=net,[daysToPasswordExpiry]=0,[password

LastSet]=1360606672,[phLogDetail]=

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DISCOV_ADS_PASSWORD_TO_EXPIRE
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High

 

Event Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date AccelOps Super IP
Relaying IP relayDevIpAddr Date AccelOps Super IP
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Active Directory Server Host Name
Host IP Address hostIpAddr IP Active Directory Server IP
User user string User logon name
User Full Name userFullName string user Full Display Name
User

Distinguishing

Name

userDN string User Distinguishing name
Days to

Password

Expiry

daysToPasswordExpiry uint64 Number of days until the password will expire
Password Last

Set

passwordLastSet Date Time when password was last set
Name Id Type Description
Event Type eventType string Event type set to PH_DISCOV_ADS_PASSWORD_STALE
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to

Low, 5-8 are mapped to Medium and 9-10 are mapped to High

Event Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date AccelOps Super IP
Relaying IP relayDevIpAddr Date AccelOps Super IP
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Active Directory Server Host Name
Host IP Address hostIpAddr IP Active Directory Server IP
User user string User logon name
User Full Name userFullName string user Full Display Name

 

User

Distinguishing

Name

userDN string User Distinguishing name
Password Age passwordAge uint64 Age of the password in days
Password Last

Set

passwordLastSet Date Time when password was last set

 

 

FortiSIEM Change management related reports

$
0
0
Change management related
Change management related

Network Device Config Changes

Server Change

Network Device Config Changes

Change: Router Configuration Changes Detected From Log: This report provides details about router config changes Change: Router Run versus Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

Change: Router Config Changes Detected Via Login: This report captures detected configuration changes via login

WLAN Config Change: This report tracks all software, hardware and device configuration changes at WLAN Access points and Base stations. The report includes Original Reporting Controller IP, Event Type and MAC address of the AP or Controller where the event happened. If the MAC address is empty then, the event happened at the reporting Controller.

Change: Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

Change: Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

Server Changes

Change: Database Server DDL Changes: Captures database DDL changes

Change: Top Windows Servers, Users by Account Modification Count: This report ranks the windows servers and their administrative users by the number of user account modification events

Change: Windows Server Account Modification Details: This report captures the details of windows account modification events.

Details include the administrative user, target user, the operation performed and the raw log

Change: Windows File Access Details: This report captures the details of windows server file access events. Details include the administrative user, file/directory, the operation performed and the raw log

Change: Top Windows Servers, Users By Config/Policy Modification Count: This report ranks the windows servers and their administrative users by the number of server configuration or policy modification events

Change: Windows Server Config Modification Details: This report captures the details of windows server configuration or policy

modification events. Details include the administrative user, file/directory, the operation performed and the raw log

Change: Local User Accounts Created: This report captures user accounts added on a server Change: Local User Accounts Deleted: This report captures user accounts removed from a server Change: User Accounts Modified: This report captures local user account modifications.

Change: Users Added To Local Groups: This report captures users added to local groups.

Change: Users Added To Global Groups: This report captures users added to global or univeral groups.

Change: Users Deleted From Local Groups: This report captures users deleted from local groups.

Change: Users Deleted From Global Groups: This report captures users deleted from global or univeral groups.

Change: Local Groups Deleted: This report captures local group deletions

Change: Local Groups Modified: This report captures local group modifications

Change: Global Groups Created: This report captures global group creations

Change: Global Groups Deleted: This report captures global group deletions

Change: Global Groups Modified: This report captures global group modifications

Change: Local Groups Created: This report captures local group creations

Change: Windows Server Password Changes: Tracks password changes

Change: Windows Server Account Lock/Unlock history: Captures account lockouts and unlocks on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

Change: Windows Audit Policy Changed: This report captures audit policy changes

Change: Windows File Access Failures: This report captures the details of windows server file access failures. Details include the administrative user, file/directory, the operation performed and the raw log

Change: Windows File Access Successes: This report captures the details of windows server file access successes. Details include the administrative user, file/directory, the operation performed and the raw log

Change: All Account/Group Change Events: This report lists all account/group change events

Change: Top Windows Domain Controllers, Users By Account Modification Count: Ranks Domain Controllers and their administrators by the number of account modifications performed

Change: Windows Domain Account Modification Details: Details windows domain account modifications

Change: Top Windows Domain Controllers, Users By File Modification Count: Ranks the Domain Controllers abd their administrators by the number of file modifications performed

Change: Windows Domain Controller File Modification Details: Provides details about domain controller file modifications Change: Top Windows Domain Controllers, Users By Config Modification Count: Ranks Domain Controllers and their administrators by the number of config modifications performed

Change: Windows Domain Controller Config Changes: Provides detailed windows domain controller config changes

Change: Computers added to domain: Captures computers added to a domain

Change: Computers deleted from domain: Captures computers removed from a domain Change: Domain user accounts created: Captures user accounts added to a domain Change: Domain user accounts deleted: Captures user accounts removed from a domain Change: Domain user accounts modified: Captures domain user account modifications.

Change: Domain groups created: Captures domain group creations

Change: Domain groups deleted: Captures domain group deletions

Change: Domain groups modified: Captures domain group modifications

Change: Users Added To Domain Groups: Tracks users added to domain groups

Change: Users Deleted From Domain Groups: Tracks users deleted from domain groups. The information contains who did it (User, Computer, Domain, Source IP) along with the deleted account (Target User) and group (Target User Group).

Change: Domain User Password Changes: Tracks password changes

Change: Domain Account Lock/Unlock history: Captures account lockouts and unlocks on domain accounts. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

Change: Domain Account Unlocks: Captures account unlocks on domain accounts. Account unlocks happen after lockouts that may happen on repeated login failures

Change: Windows Domain Controller Audit Policy Changed: This report captures audit policy changes

Change: Unix Users Added To Group: Tracks user additions to groups

Change: Unix User Password Changed: Tracks password changes

Change: Audited file changes: Tracks user modifications to files and directories. Both the content and attribute modifications are captured. For actions on directories, the affected files in the directories are also captured.

FortiSIEM Compliance related Reports

$
0
0
Compliance related
Compliance related

PCI

COBIT

SOX

HIPAA

PCI

PCI 1.x: Top Reporting Firewalls By Event Count: Ranks the firewalls by the number of events sent

PCI 1.x: Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

PCI 1.x: Router Config Changes Detected From Log: This report provides details about router config changes

PCI 1.x: Router Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

PCI 1.x: Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a firewall’s running and startup config

PCI 1.x: Router/Switch Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

PCI 1.x: Router Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

PCI 1.x: Firewall Admin Activity Details: Provides details about firewall admin activity – logons, command executions and logoff

PCI 1.x: Router Admin Activity Details: Provides details about router admin activity – logons, command executions and logoff

PCI 1.x: Firewall NAT Translations: This report captures the NAT translations over a time window

PCI 1.x: Top Firewalls and Outbound Permitted Services By Connections, Bytes: Ranks firewalls and permitted outbound services by first the total number of connections and then by bytes for that service

PCI 1.x: Top Firewalls and Inbound Permitted Services By Connections, Bytes: Ranks firewalls and permitted inbound services by first the total number of connections and then by bytes for that service

PCI 1.x: Top Firewalls and Permitted High Port Services By Connections, Bytes: Tracks the high port services permitted by firewalls – these services may pose security risk

PCI 1.x: Top Firewalls and Permitted Uncommon Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – common services include DNS, SMTP, Web

PCI 1.x: Top Firewalls and Permitted Vulnerable Low Port Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – vulnerable services include Microsoft services such as MS-RPC (135), NETBIOS-SSN (139), MICROSOFT-DS (445), MS-SQL (1433,1434), FTP (23), TELNET (21)

PCI 1.x: Top Firewall Originated Or Destined Permitted Connections By Count: Ranks the firewall originated or destined

connections – these connections would be typically be for administrative and monitoring purposes PCI 5.x: Top Reporting Security Management Servers:

PCI 1.x: Virus found but not remediated by Host Antivirus: Captures events that indicate the viruses that Host Antivirus found but failed to remedy

PCI 5.x: Spyware found but not remediated by Host Antivirus:

PCI 5.x: Top hosts with Malware found by Host Antivirus:

PCI 5.x: Top IPs with Malware Found By IPS and Firewalls: Tracks IP addresses with Malware as found by IPS

PCI 5.x: Top IPs with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways

PCI 5.x: Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities.

PCI 8.x,10.x: Detailed Successful Login At PCI Device: Captures detailed successful logins at any device or application including servers, network devices, domain controllers, VPN gateways, WLAN controllers and applications

PCI 8.x: Windows Server Account Lockouts: This report captures account lockouts on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation

PCI 8.x: Windows Domain Account Lockouts: This report details windows domain account lockouts

PCI 8.x: Windows Server Account Lock/Unlock history: Captures account lockouts and unlocks on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

PCI 8.x: Domain Account Lock/Unlock history: Captures account lockouts and unlocks on domain accounts. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

PCI 8.x: Server Password Changes: Tracks password changes

PCI 8.x: Local Windows User Accounts Created: This report captures user accounts added on a server

PCI 8.x: Local Windows User Accounts Deleted: This report captures user accounts removed from a server PCI 8.x: Local Windows User Accounts Modified: This report captures local user account modifications.

PCI 8.x: Users Added To Local Groups: This report captures users added to local groups.

PCI 8.x: Users Added To Global Groups: This report captures users added to global or univeral groups.

PCI 8.x: Users Deleted From Local Groups: This report captures users deleted from local groups.

PCI 8.x: Users Deleted From Global Groups: This report captures users deleted from global or univeral groups.

PCI 8.x: Local Windows Groups Deleted: This report captures local group deletions

PCI 8.x: Local Windows Groups Modified: This report captures local group modifications

PCI 8.x: Local Windows Groups Created: This report captures local group creations

PCI 8.x: Global Windows Groups Created: This report captures global group creations

PCI 8.x: Global Windows Groups Deleted: This report captures global group deletions

PCI 8.x: Global Windows Groups Modified: This report captures global group modifications

PCI 10.x: Detailed Failed Login At PCI System: Captures detailed failed logins at any device or application – servers, network devices, domain controllers, VPN gateways, WLAN controllers and applications

PCI 10.x: Privileged Windows Server Logon Attempts using the Administrator Account: This report details prvileged logon attempts to a windows server using the Administrator account

PCI 10.x: Remote Desktop Connections to Windows Servers: This report details successful and failed remote desktop connections PCI 10.x: Unix Server Privileged Logon: This report details UNIX server privileged logon (su) details with all parsed parameters and raw logs

PCI 10.x: Unix Server Privileged Command Execution: This report details privilege command execuations (sudo) at a Unix server

PCI 10.x: Successful Firewall Admin Logon Details: Details about successful firewall logons

PCI 10.x: Failed Firewall Admin Logon Details: Details about failed firewall logons

PCI 10.x: Successful Router Admin Logon Details: Details about successful router logons

PCI 10.x: Failed Router Admin Logon Details: Details about failed router logons

PCI 10.x: Successful VPN Admin Logon: Provides event details for all successful VPN admin logons

PCI 10.x: Failed VPN Admin Logon: Provides event details for all failed VPN admin logons

PCI 10.x: Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller

PCI 10.x: Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller

PCI 10.x: Network Device Down/Restart: Tracks network device down and restart events

PCI 10.x: Server Down/Restart: Tracks server down and restart events

PCI 10.x: Application Down/Restart: Tracks application stop and start events

PCI 10.x: Network Device Link Module Down/Up: Tracks network device miscellaneous module (e.g. fan, power etc.) down/up events

PCI 10.x: Network Device Errors: Tracks errors reported by network device

COBIT

COBIT AI2.4: Successful Database Server Logon Details: Captures successful database server logons

COBIT AI2.4: Failed Database Server Logon Details: Captures failed database server logons

COBIT AI2.4: Top App Servers By Current Uptime: Ranks App servers by current uptime (i.e. time since last reboot)

COBIT AI2.5: Server Installed Software Changes: This report captures detected installed software changes

COBIT DS3.x: Top Devices By CPU Util: Ranks the devices by average cpu utilization over a window

COBIT DS3.x: Top Devices By Memory Util: Ranks the devices by average memory utilization over a window

COBIT DS3.x: Top Devices By Disk Util: Ranks the devices by average system disk utilization over a window

COBIT DS3.x: Top Firewalls By Connections: Ranks the firewalls by average connection count over a window. The ratio of the connection count to the max connection count since startup is also provided. If the ratio is close 1 and the firewall is up for a long time, the the firewall must be busy from a firewalled connection point of view.

COBIT DS3.x: Top Device Intf By Util, Error, Discards: Ranks the devices and their network interfaces by first average inbound and then by outbound interface utilization. The utilization is computed by accounting for the link bandwidth.

COBIT DS3.x: Top Server Apps By CPU, Mem Util: Ranks the server processes by first average cpu utilization and then by memory utilization over a window

COBIT DS3.x: Top Network Device Processes By CPU, Mem Util: Ranks the host processes by average cpu utilization over a window COBIT DS3.x: Top App Servers By CPU Usage With Other Performance Metrics: Ranks App servers by the amount of CPU usage this report provides details on other performance aspects such as memory, threads and classes

COBIT DS3.x: All devices under performance monitoring: Captures all devices under performance monitoring

COBIT DS4.x: Device Ping Monitor Statistics: Tracks the PING response times and packet loss for the monitored devices

COBIT DS4.x: Network Device Down/Restart: Tracks network device down and restart events

COBIT DS4.x: Server Down/Restart: Tracks server down and restart events

COBIT AI2.4,DS4.x: Application Down/Restart: Tracks application stop and start events

COBIT DS4.x: Network Device Failover: Tracks network device failovers

COBIT DS4.x: Network Device Interface Down/Up: Tracks network device interface down and up events

COBIT AI2.4,DS4.x: Server Interface Down/Up: Tracks server network interface down and up events

COBIT DS4.x: Network Device License Expiry: Tracks network device license expiry events

COBIT DS4.x: Application License Expiry: Tracks application license expiry events

COBIT DS4.x: Network Device Link Module Down/Up: Tracks network device miscellaneous module (e.g. fan, power etc.) down/up events

COBIT DS4.x: Top Network Devices, Errors By Count: Ranks network devices by reported error count

COBIT DS4.x: Top Devices by Accumulated Downtime: Ranks the devices by total system downtime over the last week

COBIT AI2.4,DS4.x: Top Applications By Response Time: Ranks the services by average application level probe response times COBIT DS5.4: Windows Server Account Lock/Unlock history: Captures account lockouts and unlocks on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

COBIT DS5.4: Domain Account Lock/Unlock history: Captures account lockouts and unlocks on domain accounts. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

COBIT DS5.4: Server Password Changes: Tracks password changes

COBIT DS5.4: Local Windows User Accounts Created: This report captures user accounts added on a server

COBIT DS5.4: Local Windows User Accounts Deleted: This report captures user accounts removed from a server COBIT DS5.4: Local Windows User Accounts Modified: This report captures local user account modifications.

COBIT DS5.4: Users Added To Local Windows User Groups: This report captures users added to local groups.

COBIT DS5.4: Users Added To Global Windows User Groups: This report captures users added to global or univeral groups.

COBIT DS5.4: Users Deleted From Local Windows User Groups: This report captures users deleted from local groups.

COBIT DS5.4: Users Deleted From Global Windows User Groups: This report captures users deleted from global or univeral groups.

COBIT DS5.4: Local Windows Groups Deleted: This report captures local group deletions

COBIT DS5.4: Local Windows Groups Modified: This report captures local group modifications

COBIT DS5.4: Local Windows Groups Created: This report captures local group creations

COBIT DS5.4: Global Windows Groups Created: This report captures global group creations

COBIT DS5.4: Global Windows Groups Deleted: This report captures global group deletions

COBIT DS5.4: Global Windows Groups Modified: This report captures global group modifications

COBIT DS5.4: Unix Users Added To Group: Tracks user additions to groups

COBIT DS5.4: Unix User Password Changed: Tracks password changes

COBIT DS5.5: Privileged Windows Server Logon Attempts using the Administrator Account: This report details prvileged logon attempts to a windows server using the Administrator account

COBIT DS5.5: Remote Desktop Connections to Windows Servers: This report details successful and failed remote desktop connections

COBIT DS5.5: Unix Server Privileged Logon: This report details UNIX server privileged logon (su) details with all parsed parameters and raw logs

COBIT DS5.5: Unix Server Privileged Command Execution: This report details privilege command execuations (sudo) at a Unix server

COBIT DS5.5: Successful Firewall Admin Logon Details: Details about successful firewall logons

COBIT DS5.5: Failed Firewall Admin Logon Details: Details about failed firewall logons

COBIT DS5.5: Successful Router Admin Logon Details: Details about successful router logons

COBIT DS5.5: Failed Router Admin Logon Details: Details about failed router logons

COBIT DS5.5: Successful VPN Admin Logon: Provides event details for all successful VPN admin logons

COBIT DS5.5: Failed VPN Admin Logon: Provides event details for all failed VPN admin logons

COBIT DS5.5: Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller

COBIT DS5.5: Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller

COBIT DS5.6: Top Incidents Ranked By Severity, Count: Ranks the incidents by first their severity and then by their count.

COBIT DS5.6: All Availability Incidents: Captures the availability incidents

COBIT DS5.6: Performance Incidents: Captures the performance related incidents

COBIT DS5.6: Security Incidents: Captures the security related incidents

COBIT DS5.9: Virus found but not remediated by Host Antivirus: Captures events that indicate the viruses that Host Antivirus found but failed to remedy

COBIT DS5.9: Spyware found but not remediated by Host Antivirus:

COBIT DS5.9: Top Hosts with Malware found by Host Antivirus:

COBIT DS5.9: Top Hosts with Malware Found By Network IPS and Firewalls: Tracks IP addresses with Malware as found by IPS

COBIT DS5.9: Top Hosts with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways

COBIT DS5.9: Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities.

COBIT DS5.10: Top Firewalls and Permitted Outbound Services By Connections, Bytes: Ranks firewalls and permitted outbound services by first the total number of connections and then by bytes for that service

COBIT DS5.10: Top Firewalls and Permitted Inbound Services By Connections, Bytes: Ranks firewalls and permitted inbound services by first the total number of connections and then by bytes for that service

COBIT DS5.10: Top Firewalls and Permitted High Port Services By Connections, Bytes: Tracks the high port services permitted by firewalls – these services may pose security risk

COBIT DS5.10: Top Firewalls and Permitted Uncommon Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – common services include DNS, SMTP, Web

COBIT DS5.10: Top Firewalls and Permitted Vulnerable Low Port Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – vulnerable services include Microsoft services such as MS-RPC (135), NETBIOS-SSN (139), MICROSOFT-DS (445), MS-SQL (1433,1434), FTP (23), TELNET (21)

COBIT DS5.10: Top Firewall Originated Or Destined Permitted Connections By Count: Ranks the firewall originated or destined connections – these connections would be typically be for administrative and monitoring purposes

COBIT DS5.10: Top Blocked Internal Sources, Services, Destinations: Ranks blocked Internal Sources, Services, Destinations Ranked By Connection Count

COBIT DS5.10: Top Blocked Internal Destinations, Services Ranked By Connection Count: Ranks blocked Internal Destinations, Services Ranked By Connection Count

COBIT DS5.10: Top Network IPS events By Severity, Count: Ranks the network IPS events by count

COBIT DS5.10: Top Network Scanners By Event Count: Ranks the source IP addresses by detected network scan or reconnaissance events

COBIT DS5.10: Top Blocked Network Attacks By Count: Ranks the network attacks attacks blocked by network IPS

COBIT DS5.10: Top Web Users By Uncommon HTTP Method Connections: Ranks web users by uncommon HTTP methods used COBIT DS5.10: Top Web Users By HTTP POST Exchanged Bytes: Ranks web clients by HTTP POST byte count – can catch malware sending confidential information out

COBIT DS5.10: Top Visited Web Sites And Categories By Connections: Ranks (successfully) visited web sites and categories by the number of connections

COBIT DS5.10: Top Denied Web Sites And Categories By Connections: Ranks web sites and categories that were denied by policy, by the number of connections

COBIT DS5.10: Top Web Users, Denied Sites And Categories By Connections: Ranks users, web sites and categories that were denied by policy, by the number of connections

COBIT DS5.10: Top Inbound Blacklisted Mail Gateways By Connections: Ranks denied mail gateways by the number of attempted SMTP connections. The most common reason of denial is often the gateway being included in blacklists.

COBIT DS5.10: Top Inbound Blacklisted Mail Gateways and SMTP Error Types By Connections: Ranks denied mail gateways and the SMTP errors by the number of attempted connections. The most common SMTP error is often the gateway being included in mail blacklists.

COBIT DS5.10: Filtered Inbound Spam Count: Counts total inbound spam denied by spam filtering policy

COBIT DS5.10: Top Outbound Blacklisted Mail Gateways By Connections: Ranks denied mail gateways by the number of attempted SMTP connections. The most common reason of denial is often the gateway being included in blacklists.

COBIT DS5.10: Top Outbound Blacklisted Mail Gateways and SMTP Error Types By Connections: Ranks denied mail gateways and the SMTP errors by the number of attempted connections. The most common SMTP error is often the gateway being included in mail blacklists.

COBIT DS5.10: Filtered Outbound Spam Count: Counts total outbound spam denied by policy

COBIT DS5.10: Total Denied Web Connections By Policy: Counts denied web site connections because of policy violations

COBIT DS5.10: Top Mail Security Gateway Actions By Count: Ranks the actions taken by the mail security gateway – actions include blocking an inbound/outbound mail gateway because of RBL or other SMTP violations, blocking a mail because of spam or other policy violations and delivering a mail

COBIT DS9.x: Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

COBIT DS9.x: Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

COBIT DS9.x: Router/Switch Config Changes Detected Via Login: This report captures detected startup or running config changes the changes are detected by logging into the device and hence is accurate.

COBIT DS9.x: Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

SOX

SOX (AI2.4): Successful Database Server Logons: Captures successful database server logons

SOX (AI2.4): Failed Database Server Logons: Captures failed database server logons

SOX (AI2.4,DS4.x): Top Applications By Response Time: Ranks the services by average application level probe response times

SOX (AI2.4): Top App Servers By Current Uptime: Ranks App servers by current uptime (i.e. time since last reboot)

SOX (AI2.4,DS4.x): Application Down/Restart: Tracks application stop and start events

SOX (AI2.4,DS4.x): Server Interface Down/Up: Tracks server network interface down and up events

SOX (AI2.5): Server Installed Software Changes: This report captures detected installed software changes

SOX (DS3.x): Top Devices By CPU Util: Ranks the devices by average cpu utilization over a window

SOX (DS3.x): Top Devices By Memory Util: Ranks the devices by average memory utilization over a window

SOX (DS3.x): Top Devices By Disk Util: Ranks the devices by average system disk utilization over a window

SOX (DS3.x): Top Firewalls By Connections: Ranks the firewalls by average connection count over a window. The ratio of the connection count to the max connection count since startup is also provided. If the ratio is close 1 and the firewall is up for a long time, the the firewall must be busy from a firewalled connection point of view.

SOX (DS3.x): Top Device Intf By Util, Error, Discards: Ranks the devices and their network interfaces by first average inbound and then by outbound interface utilization. The utilization is computed by accounting for the link bandwidth.

SOX (DS3.x): Top Server Apps By CPU, Mem Util: Ranks the server processes by first average cpu utilization and then by memory utilization over a window

SOX (DS3.x): Top Network Device Processes By CPU, Mem Util: Ranks the host processes by average cpu utilization over a window SOX (DS3.x): Top App Servers By CPU Usage With Other Performance Metrics: Ranks App servers by the amount of CPU usage this report provides details on other performance aspects such as memory, threads and classes

COBIT DS5.6: All Availability Incidents: Captures the availability incidents

SOX (DS5.6): Performance Incidents: Captures the performance related incidents

SOX (DS3.x): All devices under performance monitoring: Captures all devices under performance monitoring

SOX (DS5.4): Windows Server Account Lock/Unlock history: Captures account lockouts and unlocks on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

SOX (DS5.4,PCI1.x)): Domain Account Lock/Unlock history: Captures account lockouts and unlocks on domain accounts. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

SOX (DS5.4,PCI1.x): Server Password Changes: Tracks password changes

SOX (DS5.4,PCI1.x): Local Windows User Accounts Created: This report captures user accounts added on a server

SOX (DS5.4,PCI1.x): Local Windows User Accounts Deleted: This report captures user accounts removed from a server SOX (DS5.4,PCI1.x): Local Windows User Accounts Modified: This report captures local user account modifications.

SOX (DS5.4,PCI1.x): Users Added To Local Windows User Groups: This report captures users added to local groups.

SOX (DS5.4): Users Added To Global Windows User Groups: This report captures users added to global or univeral groups.

SOX (DS5.4,PCI1.x): Users Deleted From Local Windows User Groups: This report captures users deleted from local groups. SOX (DS5.4,PCI1.x): Users Deleted From Global Windows User Groups: This report captures users deleted from global or univeral groups.

SOX (DS5.4,PCI1.x): Local Windows Groups Deleted: This report captures local group deletions

SOX (DS5.4,PCI1.x): Local Windows Groups Modified: This report captures local group modifications

SOX (DS5.4,PCI1.x): Local Windows Groups Created: This report captures local group creations

SOX (DS5.4,PCI1.x): Global Windows Groups Created: This report captures global group creations

SOX (DS5.4,PCI1.x): Global Windows Groups Deleted: This report captures global group deletions

SOX (DS5.4,PCI1.x): Global Windows Groups Modified: This report captures global group modifications

SOX (DS5.4,PCI1.x): Unix Users Added To Group: Tracks user additions to groups

SOX (DS5.4,PCI1.x): Unix User Password Changed: Tracks password changes

SOX (DS5.5,PCI1.x): Privileged Windows Server Logon Attempts using the Administrator Account: This report details prvileged

logon attempts to a windows server using the Administrator account

SOX (DS5.5,PCI1.x): Remote Desktop Connections to Windows Servers: This report details successful and failed remote desktop connections

SOX (DS5.5,PCI1.x): Unix Server Privileged Logon: This report details UNIX server privileged logon (su) details with all parsed parameters and raw logs

SOX (DS5.5,PCI1.x): Unix Server Privileged Command Execution: This report details privilege command execuations (sudo) at a Unix server

COBIT DS5.5: Successful Firewall Admin Logon Details: Details about successful firewall logons

COBIT DS5.5: Failed Firewall Admin Logon Details: Details about failed firewall logons

SOX (DS5.5,PCI1.x): Successful Router Admin Logon Details: Details about successful router logons

SOX (DS5.5,PCI1.x): Failed Router Admin Logon Details: Details about failed router logons

SOX (DS5.5,PCI1.x): Successful VPN Admin Logon: Provides event details for all successful VPN admin logons

SOX (DS5.5,PCI1.x): Failed VPN Admin Logon: Provides event details for all failed VPN admin logons

SOX (DS5.5,PCI1.x): Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller

SOX (DS5.5,PCI1.x): Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller

SOX (DS5.6): Security Incidents: Captures the security related incidents

SOX (DS5.9): Virus found but not remediated by Host Antivirus: Captures events that indicate the viruses that Host Antivirus found but failed to remedy

SOX (DS5.9): Spyware found but not remediated by Host Antivirus:

SOX (DS5.9): Top Hosts with Malware found by Host Antivirus:

SOX (DS5.9): Top Hosts with Malware Found By Network IPS and Firewalls: Tracks IP addresses with Malware as found by IPS

SOX (DS5.9): Top Hosts with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways

SOX (DS5.9): Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities.

SOX (DS5.10): Top Firewalls and Permitted Outbound Services By Connections, Bytes: Ranks firewalls and permitted outbound services by first the total number of connections and then by bytes for that service

SOX (DS5.10): Top Firewalls and Permitted Inbound Services By Connections, Bytes: Ranks firewalls and permitted inbound services by first the total number of connections and then by bytes for that service

SOX (DS5.10): Top Firewalls and Permitted High Port Services By Connections, Bytes: Tracks the high port services permitted by firewalls – these services may pose security risk

SOX (DS5.10): Top Firewalls and Permitted Uncommon Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – common services include DNS, SMTP, Web

SOX (DS5.10): Top Firewalls and Permitted Vulnerable Low Port Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – vulnerable services include Microsoft services such as MS-RPC (135), NETBIOS-SSN (139), MICROSOFT-DS (445), MS-SQL (1433,1434), FTP (23), TELNET (21)

SOX (DS5.10): Top Firewall Originated Or Destined Permitted Connections By Count: Ranks the firewall originated or destined connections – these connections would be typically be for administrative and monitoring purposes

SOX (DS5.10): Top Blocked Internal Sources, Services, Destinations: Ranks blocked Internal Sources, Services, Destinations Ranked By Connection Count

SOX (DS5.10): Top Blocked Internal Destinations, Services Ranked By Connection Count: Ranks blocked Internal Destinations, Services Ranked By Connection Count

SOX (DS5.10): Top Network IPS events By Severity, Count: Ranks the network IPS events by count

SOX (DS5.10): Top Network Scanners By Event Count: Ranks the source IP addresses by detected network scan or reconnaissance events

SOX (DS5.10): Top Blocked Network Attacks By Count: Ranks the network attacks attacks blocked by network IPS

SOX (DS5.10): Top Web Users By Uncommon HTTP Method Connections: Ranks web users by uncommon HTTP methods used SOX (DS5.10): Top Web Users By HTTP POST Exchanged Bytes: Ranks web clients by HTTP POST byte count – can catch malware sending confidential information out

SOX (DS5.10): Top Visited Web Sites And Categories By Connections: Ranks (successfully) visited web sites and categories by the number of connections

SOX (DS5.10): Top Denied Web Sites And Categories By Connections: Ranks web sites and categories that were denied by policy, by the number of connections

SOX (DS5.10): Top Web Users, Denied Sites And Categories By Connections: Ranks users, web sites and categories that were denied by policy, by the number of connections

SOX (DS5.10): Top Inbound Blacklisted Mail Gateways By Connections: Ranks denied mail gateways by the number of attempted SMTP connections. The most common reason of denial is often the gateway being included in blacklists.

SOX (DS5.10): Top Inbound Blacklisted Mail Gateways and SMTP Error Types By Connections: Ranks denied mail gateways and the SMTP errors by the number of attempted connections. The most common SMTP error is often the gateway being included in mail blacklists.

SOX (DS5.10): Filtered Inbound Spam Count: Counts total inbound spam denied by spam filtering policy

SOX (DS5.10): Top Outbound Blacklisted Mail Gateways By Connections: Ranks denied mail gateways by the number of attempted SMTP connections. The most common reason of denial is often the gateway being included in blacklists.

SOX (DS5.10): Top Outbound Blacklisted Mail Gateways and SMTP Error Types By Connections: Ranks denied mail gateways and the SMTP errors by the number of attempted connections. The most common SMTP error is often the gateway being included in mail blacklists.

SOX (DS5.10): Filtered Outbound Spam Count: Counts total outbound spam denied by policy

SOX (DS5.10): Total Denied Web Connections By Policy: Counts denied web site connections because of policy violations

SOX (DS5.10): Top Mail Security Gateway Actions By Count: Ranks the actions taken by the mail security gateway – actions include blocking an inbound/outbound mail gateway because of RBL or other SMTP violations, blocking a mail because of spam or other policy violations and delivering a mail

SOX (DS9.x): Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

SOX (DS9.x): Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

SOX (DS9.x): Router/Switch Config Changes Detected Via Login: This report captures detected startup or running config changes the changes are detected by logging into the device and hence is accurate.

SOX (DS9.x): Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

HIPAA

HIPAA 164.308(a)(3): Server Password Changes: Tracks password changes

HIPAA 164.308(a)(3),164.312(a)(2): Local Windows User Accounts Created: This report captures user accounts added on a server HIPAA 164.308(a)(3): Local Windows User Accounts Deleted: This report captures user accounts removed from a server HIPAA 164.308(a)(3): Local Windows User Accounts Modified: This report captures local user account modifications.

HIPAA 164.308(a)(3): Users Added To Local Groups: This report captures users added to local groups.

HIPAA 164.308(a)(3): Users Added To Global Groups: This report captures users added to global or univeral groups.

HIPAA 164.308(a)(3): Users Deleted From Local Groups: This report captures users deleted from local groups.

HIPAA 164.308(a)(3): Users Deleted From Global Groups: This report captures users deleted from global or univeral groups.

HIPAA 164.308(a)(3): Local Windows Groups Deleted: This report captures local group deletions

HIPAA 164.308(a)(3): Local Windows Groups Modified: This report captures local group modifications

HIPAA 164.308(a)(3): Local Windows Groups Created: This report captures local group creations

HIPAA 164.308(a)(3): Global Windows Groups Created: This report captures global group creations

HIPAA 164.308(a)(3): Global Windows Groups Deleted: This report captures global group deletions

HIPAA 164.308(a)(3): Global Windows Groups Modified: This report captures global group modifications

HIPAA 164.308(a)(4): Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes the changes are detected by logging into the device and hence is accurate.

HIPAA 164.308(a)(4): Router Config Changes Detected Via Login: This report captures detected startup or running config changes the changes are detected by logging into the device and hence is accurate.

HIPAA 164.308(a)(4): Router Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

HIPAA 164.308(a)(4): Top Firewalls and Outbound Permitted Services By Connections, Bytes: Ranks firewalls and permitted outbound services by first the total number of connections and then by bytes for that service

HIPAA 164.308(a)(4): Top Firewalls and Inbound Permitted Services By Connections, Bytes: Ranks firewalls and permitted inbound services by first the total number of connections and then by bytes for that service

HIPAA 164.308(a)(4): Top Firewalls and Permitted High Port Services By Connections, Bytes: Tracks the high port services permitted by firewalls – these services may pose security risk

HIPAA 1.x: Top Firewalls and Permitted Uncommon Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – common services include DNS, SMTP, Web

HIPAA 164.308(a)(4): Top Firewalls and Permitted Vulnerable Low Port Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – vulnerable services include Microsoft services such as MS-RPC (135), NETBIOS-SSN (139),

MICROSOFT-DS (445), MS-SQL (1433,1434), FTP (23), TELNET (21)

HIPAA 164.308(a)(4): Top Firewall Originated Or Destined Permitted Connections By Count: Ranks the firewall originated or destined connections – these connections would be typically be for administrative and monitoring purposes

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Detailed Successful Login At HIPAA Device: Captures detailed successful logins at any device or application including servers, network devices, domain controllers, VPN gateways, WLAN controllers and applications

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Detailed Failed Login At HIPAA System: Captures detailed failed logins at any

device or application – servers, network devices, domain controllers, VPN gateways, WLAN controllers and applications

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Successful Firewall Admin Logon Details: Details about successful firewall logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Failed Firewall Admin Logon Details: Details about failed firewall logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Successful Router Admin Logon Details: Details about successful router logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Failed Router Admin Logon Details: Details about failed router logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Successful VPN Admin Logon: Provides event details for all successful VPN admin logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Failed VPN Admin Logon: Provides event details for all failed VPN admin logons

HIPAA 10.x: Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Privileged Windows Server Logon Attempts using the Administrator Account: This report details prvileged logon attempts to a windows server using the Administrator account

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Remote Desktop Connections to Windows Servers: This report details successful and failed remote desktop connections

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Successful Windows Server Logons: This report records successful windows server logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Failed Windows Server Logons: This report reports failed windows servers logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Successful Unix Server Logons: This report details successful unix server logons with all parsed fields and raw logs

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Failed Unix Server Logons: This report details failed unix server logons with all parsed fields and raw logs

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Unix Server Privileged Logon: This report details UNIX server privileged logon (su) details with all parsed parameters and raw logs

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Unix Server Privileged Command Execution: This report details privilege command execuations (sudo) at a Unix server

HIPAA 164.308(a)(5)(ii)(c): Windows Server Account Lockouts: This report captures account lockouts on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation HIPAA 164.308(a)(5)(ii)(c): Windows Server Account Unlocks: Captures account unlocks on windows servers. Account unlocks happen after lockouts that may happen on repeated login failures

HIPAA 164.308(a)(5): Server Password Changes: Tracks password changes

HIPAA 164.308(a)(6): Virus found but not remediated by Host Antivirus: Captures events that indicate the viruses that Host Antivirus found but failed to remedy

HIPAA 164.308(a)(6): Spyware found but not remediated by Host Antivirus:

HIPAA 164.308(a)(6): Top hosts with Malware found by Host Antivirus:

HIPAA 164.308(a)(6): Top IPs with Malware Found By IPS and Firewalls: Tracks IP addresses with Malware as found by IPS HIPAA 164.308(a)(6): Top IPs with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways

HIPAA 164.308(a)(6): Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities. HIPAA 164.308(a)(6): Top Network Scanners By Event Count: Ranks the source IP addresses by detected network scan or reconnaissance events

HIPAA 164.308(a)(6): Top Blocked Network Attacks By Count: Ranks the network attacks attacks blocked by network IPS HIPAA 164.308(a)(6): Top Network IPS events (affecting HIPAA devices) Ranked By Severity, Count: Ranks the network IPS events affecting HIPAA devices

HIPAA 164.308(a)(6): Top System detected Security Incidents (affecting HIPAA devices) Ranked By Severity, Count: Ranks the security related incidents by first their severity and then by their count – restricted to HIPAA devices

HIPAA 164.312(a)(2): Successful VPN Logons: Captures successful VPN logons

HIPAA 164.312(a)(2): Failed VPN Logons: Captures failed VPN logons

HIPAA 164.312(a)(2): Successful Wireless Logons: Captures successful wireless logons

HIPAA 164.312(a)(2): Failed Wireless Logons: Captures failed wireless logons

HIPAA 164.312(a)(2): Successful Windows Domain Authentications: Captures successful domain authentications

HIPAA 164.312(a)(2): Failed Windows Domain Authentications: Captures failed domain authentications

HIPAA 164.312(a)(2): Successful Database Server Logons: Captures successful database server logons

HIPAA 164.312(a)(2): Failed Database Server Logons: Captures failed database server logons

HIPAA 164.312(b): Windows Audit Policy Changed: This report captures audit policy changes

HIPAA 164.312(b): All System Admin User Logon Attempts: Details all System Admin User Logon Attempts

HIPAA 164.312(b): System Operational Warnings: Detects System operational errors including license limits, down collector

FortiSIEM Performance related Reports

$
0
0
Performance related

Network Performance Rules

 

Network Performance Reports

Top Routers Ranked By CPU Utilization: Ranks the routers by average cpu utilization over a window

Top Router Network Intf By Util, Error, Discards: Ranks the firewalls and their network interfaces by first average inbound and then by outbound interface utilization. The utilization is computed by accounting for the link bandwidth.

Top Routers By Memory Utilization: Ranks the firewalls by average memory utilization over a window

Top Firewalls By CPU Utilization: Ranks the firewalls by average cpu utilization over a window

Top Firewalls By Connection Count: Ranks the firewalls by average connection count over a window. The ratio of the connection count to the max connection count since startup is also provided. If the ratio is close 1 and the firewall is up for a long time, the the firewall must be busy from a firewalled connection point of view.

Top Firewall Network Intf By Util, Error, Discards: Ranks the firewalls and their network interfaces by first average inbound and then by outbound interface utilization. The utilization is computed by accounting for the link bandwidth.

Top Firewalls By Memory Utilization: Ranks the firewalls by average memory utilization over a window

Server Performance Rules

 

Server Performance Reports

Top Windows Servers By CPU Util: Ranks the windows servers by average cpu utilization over a window

Top Windows Servers By Memory Util and swap rate: Ranks the devices by average memory utilization and swap rate

Least Loaded Windows Servers By CPU Util: Ranks the windows servers by average cpu utilization over a window

Top Windows Servers By Disk I/O Activity: Ranks the windows servers by average disk I/O utilization over a window. This requires WMI.

Top Windows Servers By Disk Space Util: Ranks the devices by average system disk utilization over a window

Top Unix Devices By CPU Util: Ranks the devices by average cpu utilization

Top Unix Devices By Memory Util and Swap Rate: Ranks the unix devices by average memory utilization over a window and provides details of memory utilization components such as buffered and cached memory

Top Unix Devices By Disk Space Util: Ranks the devices by average system disk utilization over a window

Top Unix Servers By Disk I/O Activity: Ranks the unix servers by average disk I/O utilization over a window

Virtualization Performance Rules

 

Virtualization Performance Reports

VM level

Performance: Top VMs By CPU Utilization: This report ranks virtual machines by cpu utilization

Performance: Top VMs By CPU Utilization With Details: This report ranks virtual machines by cpu utilization. Other CPU usage metrics are included.

Performance: Top VMs By CPU Ready Pct: This report ranks virtual machines by cpu ready percent. A high number indicates the VMis starved of CPU

Performance: Least utilized VMs By CPU: This report ranks virtual machines in the descending order of cpu utilization

Performance: Top VMs By Memory Utilization With Details: This report ranks virtual machines by memory utilization. Other memory usage metrics are included.

Performance: Top VMs By Swap Activity: This report ranks virtual machines by swapping activity

Performance: Top VMs By Memory Utilization: This report ranks virtual machines by memory utilization

Performance: Top VMs By Disk I/O Activity With Details: This report ranks virtual machines by disk I/O activity. Other disk I/O usage metrics are included.

Performance: Top VMs By Disk I/O Read Latency: This report ranks virtual machines by disk I/O latency

Performance: Top VMs By Disk I/O Write Latency: This report ranks virtual machines by disk I/O latency

Performance: Top VMs By Disk I/O Read Volume (MBps): This report ranks virtual machines by disk I/O read (MBps)

Performance: Top VMs By Disk I/O Write Volume (MBps): This report ranks virtual machines by disk I/O writes (MBps)

 

Performance: Top VMs By Datastore I/O Activity With Details: This report ranks virtual machines by datastore I/O activity. Other datastore I/O usage metrics are included.

Performance: Top VMs By Datastore I/O Read Latency: This report ranks virtual machines by datastore I/O latency

Performance: Top VMs By Datastore I/O Write Latency: This report ranks virtual machines by datastore I/O latency

Performance: Top VMs By Datastore I/O Read Volume (MBps): This report ranks virtual machines by datastore I/O read (MBps)

Performance: Top VMs By Datastore I/O Write Volume (MBps): This report ranks virtual machines by datastore I/O writes (MBps)

ESX level

Performance: Top ESX Hosts By CPU Utilization: This report ranks ESX hosts by aggregate cpu utilization. Other CPU usage metrics are included.

Performance: Top ESX Hosts By Memory Utilization With Details: This report ranks ESX hosts by memory utilization. Other memory usage metrics are included.

Performance: Top ESX Hosts By Memory Utilization: This report ranks ESX hosts by memory utilization.

Performance: Top ESX Hosts By Swap Activity: This report ranks ESX hosts by swap activity

Performance: ESX Hosts With Balooning Memory: This report identifies ESX hosts with low enough memory where memory balooning technique is used for memory management

Performance: ESX Hosts With Swapping Memory: This report identifies ESX hosts with low memory where swapping memory technique is used for memory management

Performance: Top ESX Hosts By Disk I/O Activity With Details: This report ranks ESX hosts by disk I/O operations. Other disk I/O usage metrics are included.

Performance: Top ESX Hosts By Disk I/O Read Volume (MBps): This report ranks ESX hosts by read disk I/O (MBps)

Performance: Top ESX Hosts By Disk I/O Write Volume (MBps): This report ranks ESX hosts by write disk I/O (MBps)

Performance: Top ESX Hosts By Disk I/O Latency With Details: This report ranks ESX hosts by disk I/O latency. Other disk I/O usage metrics are included.

Performance: Top ESX Hosts By Kernel Disk I/O Read Latency: This report ranks ESX hosts by kernel disk I/O read latency.

Performance: Top ESX Hosts By Kernel Disk I/O Write Latency: This report ranks ESX hosts by kernel disk I/O write latency. Performance: Top ESX Hosts By Device Disk I/O Read Latency: This report ranks ESX hosts by device disk I/O read latency Performance: Top ESX Hosts By Device Disk I/O Write Latency: This report ranks ESX hosts by device disk I/O write latency.

Performance: Top ESX Hosts By Network Activity With Details: This report ranks ESX hosts by network activity.

Performance: Top ESX Hosts By Inbound Network Utilization: This report ranks ESX hosts by inbound network utilization

Performance: Top ESX Hosts By Outbbound Network Utilization: This report ranks ESX hosts by outbound network utilization

Performance: Datastores with Highest Utilization: This report ranks ESX hosts by datastore utlization

Performance: Datastores with Lowest Free Space: This report ranks ESX datastore with lowest free space

Performance: Top ESX Hosts By Datastore I/O Activity With Details: This report ranks ESX hosts by datsatore I/O operations. Other datastore I/O usage metrics are included.

Performance: Top ESX Hosts By Datastore I/O Read Volume (MBps: This report ranks ESX hosts by read datastore I/O (MBps)

Performance: Top ESX Hosts By Datastore I/O Write Volume (MBps): This report ranks ESX hosts by write datastore I/O (MBps) Performance: Top ESX Hosts By Datastore I/O Latency With Details: This report ranks ESX hosts by datastore I/O latency. Other datastore I/O usage metrics are included.

Performance: Top ESX Hosts By Kernel Datastore I/O Read Latency: This report ranks ESX hosts by kernel datastore I/O read latency.

Performance: Top ESX Hosts By Kernel Datastore I/O Write Latency: This report ranks ESX hosts by kernel datastore I/O write latency.

Performance: Top ESX Hosts By Device Datastore I/O Read Latency: This report ranks ESX hosts by device datastore I/O read latency

Performance: Top ESX Hosts By Device Datastore I/O Write Latency: This report ranks ESX hosts by device datastore I/O write latency.

Cluster level

Performance: Top VMWare Clusters By CPU Utilization: This report ranks VMWare clusters by CPU utilization

Performance: Top VMWare Clusters By Memory Utilization: This report ranks VMWare clusters by memory utilization

Performance: Top VMWare Clusters By Device Datastore Read Latency: This report ranks VMWare clusters by datastore read latency

Performance: Top VMWare Clusters By Device Datastore Write Latency: This report ranks VMWare clusters by datastore write latency

Performance: Top VMWare Clusters By Datastore I/O Activity With Details: This report ranks VMWare Clusters by datsatore I/O operations. Other datastore I/O usage metrics are included.

Performance: Top VMWare Clusters By Datastore I/O Read Volume (MBps): This report ranks ESX hosts by read datastore I/O (MBps)

Performance: Top VMWare Clusters By Datastore I/O Write Volume (MBps): This report ranks ESX hosts by write datastore I/O (MBps)

Performance: Top VMWare Clusters By Datastore I/O Latency With Details: This report ranks ESX hosts by datastore I/O latency.

Other datastore I/O usage metrics are included.

Performance: Top VMWare Clusters By Kernel Datastore I/O Read Latency: This report ranks ESX hosts by kernel datastore I/O read latency.

Performance: Top VMWare Clusters By Kernel Datastore I/O Write Latency: This report ranks ESX hosts by kernel datastore I/O write latency.

Performance: Least Utilized VMWare Clusters By CPU: This report ranks least utilized VMWare clusters by CPU utilization

Performance: Least Utilized VMWare Clusters By Memory: This report ranks least utilized VMWare clusters by memory utilization Performance: Least Utilized VMWare Clusters By Device Datastore Read Latency: This report ranks least utilized VMWare clusters by datastore read latency

Performance: Least Utilized VMWare Clusters By Device Datastore Write Latency: This report ranks least utilized VMWare clusters by datastore write latency

Performance: Least Utilized VMWare Clusters By Disk I/O Read Volume (MBps): This report ranks least utlized VMware clusters by disk I/O read (MBps)

Performance: Least Utilized VMware Clusters By Disk I/O Write Volume (MBps): This report ranks least utilized VMWare clusters by disk I/O write volume (MBps)

Resource pool level

 Performance: Top VMWare Resource Pools By CPU Utilization: This report ranks VMWare resource pools by CPU utilization Performance: Top VMWare Resource Pools By Memory Utilization: This report ranks least utilized VMWare resource pools by memory utilization

FortiSIEM Application Performance Reports

$
0
0
Application Performance Reports

Performance: Top Oracle Database servers by buffer cache hit ratio: Ranks the Oracle database servers by buffer cache hit ratio and presents other metrics

Performance: Top Oracle Database servers by table space usage: Ranks the Oracle databases by table space usage

Performance: Top MS SQL Database servers by buffer cache hit ratio: Ranks the MS SQL Servers by buffer cache hit ratio and presents other metrics

Performance: Top MS SQL Database servers by space usage: Ranks the MS SQL Servers by space usage


FortiSIEM Security Related Rules and Reports

$
0
0
Security Related Rules and Reports
Security Rules

Access Control Violations

Network Scanning Activity

Malware

Explicit Security Exploits

Policy Violations

Security Reports

Access Control Reports

Malware Reports

Other Security Issues

Network Traffic Analysis

Access Control Violations

Network Device Access

Multiple Admin Login Failures: Net Device: Detects excessive logon failures at a network device – 5 consecutive failures in a 10 minute period.

Repeated Admin Multiple Login Failures: Net Device: Detects repeating occurrences of multiple logon failures at a network device

Account Locked: Network Device: Detects account lockout caused by excessive logon failures

Server Access

Multiple Logon Failures: Server: Detects excessive logon failures at a server – 5 consecutive failures in a 10 minute period

Repeated Multiple Logon Failures: Server: Detects repeating occurrences of multiple logon failures at a server from the same user. Multiple Privileged Logon Failures: Server: Detects excessive privileged logon failures at a server – 3 consecutive failures in a 10 minute period

Account Locked: Server: Detects account lockout caused by excessive logon failures

Network Access

Multiple Logon Failures: Domain: Detects multiple domain logon failures – 5 consecutive failures in a 10 minute period

Repeated Multiple Logon Failures: Domain: Detects repeating occurrences of multiple domain logon failures

Multiple Logon Failures: VPN: Detects multiple VPN logon failures – 5 consecutive failures in a 10 minute period

Repeated Multiple Logon Failures: VPN: Detects repeating occurrences of excessive VPN logon failures

Multiple Logon Failures: WLAN Detects multiple Wireless logon failures – 5 consecutive failures in a 10 minute period

Repeated Multiple Logon Failures: WLAN: Detects repeating occurrences of excessive wireless LAN logon failures

Account Locked: Domain: Detects account lockout caused by excessive logon failures

Application Access

Multiple Logon Failures: Web Server: Detects excessive application logon failures – 5 consecutive failures in a 10 minute period. Application logsons include the one that may require authentication for accessing the authentication, such as HTTP, SNMP, FTP, POP3, IMAP etc.

Repeated Multiple Logon Failures: Web Server: Detects repeating occurrences of multiple application logon failures

Multiple Logon Failures: Database: Detects excessive database logon failures – 5 consecutive failures in a 10 minute period.

Repeated Multiple Logon Failures: Database: Detects repeating occurrences of multiple application logon failures

Multiple Logon Failures: Misc App: Detects excessive application logon failures – 5 consecutive failures in a 10 minute period. Application logsons include the one that may require authentication for accessing the authentication, such as HTTP, SNMP, FTP, POP3, IMAP etc.

Repeated Multiple Logon Failures: Misc App: Detects repeating occurrences of multiple application logon failures

Special situations

Privileged Command Execution Failure: Detects excessive privileged command execution (e.g. sudo exec) failure at a server

Disabled Account Logon Attempt: Detects logon attempts to disabled accounts

Logon Time Restriction Violation: Detects logon attempts at times which are not permitted by policy

Multiple Logon Failures: Same Src, Multiple Hosts: Detects the same source having excessive logon failures at distinct hosts Multiple Logon Failures: Same Src and Dest, Multiple Accounts: Detects same source having excessive logon failures at the same destination host but multiple distinct accounts are used during the logon failure

Suspicious Logon Failure: no following successful login: Detects an unusual condition where a source has authentication failures at

a host but that is not followed by a successful authentication at the same host within the same day

Failed VPN Logon From Outside My Country: Detects VPN logon from outside my country. My Country is set to “United States” and may need to be changed for outside United States

Concurrent Failed Authentications To Same Account  From Multiple Countries: Detects simultaneous failed server/network device/domain authentications to the same system and the same account from different countries. This may indicate stolen credentials unless it is an administrative account and is supposed to be accessed by administrators from multiple countries.

Concurrent Failed Authentications To Same Account From Multiple Cities: Detects simultaneous failed server/network

device/domain authentications to the same system and the same account from different cities. This may indicate stolen credentials unless it is an administrative account and is supposed to be accessed by administrators from multiple cities.

Concurrent Successful Authentications To Same Account From Multiple Countries: Detects simultaneous successful server/network device/domain authentications to the same system and the same account from different countries. This may indicate stolen credentials unless it is an administrative account and is supposed to be accessed by administrators from multiple countries. Concurrent Successful Authentications To Same Account From Multiple Cities: Detects simultaneous successful server/network device/domain authentications to the same system and the same account from different cities. This may indicate stolen credentials unless it is an administrative account and is supposed to be accessed by administrators from multiple cities.

Concurrent VPN Authentications To Same Account From Different Cities: Detects simultaneous VPN authentications to the same account within a short period of time from different cities. This may indicate a stolen credential.

Suspicious logon attempt detected: Detects suspicious logon attempts that indicate policy violations, e.g. root logon to database servers, default passwords, attempts to bypass authentication, root logon over unencrypted protocols such as Telnet, ftp, anonymous logons etc.

Transient Account Usage: Detects that an account was created, used and then deleted within a short period of time

Multiple Accounts Disabled by Administrator: Detects that multiple (more than 3) accounts were disabled by administrator in a short period of time

Network Scanning Activity

 Heavy TCP Host Scan: Detects excessive half-open TCP sessions from the same source to many distinct destinations in a short period of time. The threshold is 200 flows within 3 minutes. Scanning may be a precursor to exploits. However, network management and mapping tools often scan the network for discovery purposes and authorized scanners need to be blacklisted. P2P clients also exhibit this behavior when they attempt to establish connections to (non-existent) peers.

 Heavy TCP Host Scan On Fixed Port: Detects excessive half-open TCP sessions from the same source to many distinct destinations and on the same destination port in a short period of time. The threshold is 200 flows within 3 minutes. A fixed destination port may indicate that the scanning host is attempting to find hosts on a well known port (with a vulnerability). Scanning may be a precursor to exploits. However, network management and mapping tools often scan the network for discovery purposes and authorized scanners need to be blacklisted. P2P clients also exhibit this behavior when they attempt to establish connections to (non-existent) peers. Heavy TCP Port Scan: Single Host: Detects a host performing a port scan – this involves excessive half open TCP connections from the same source to many distinct ports on a host in a short period of time. The thresholds are at least 20 distinct ports in a 2 minute window

Heavy TCP Port Scan: Multiple Hosts: Detects that a source is doing port scans on multiple hosts. The thresholds are port scans on at least 5 hosts in 15 minute window

Heavy UDP Host Scan: Detects excessive number of UDP connections from the same source to many distinct destinations in a short period of time. The threshold is 200 flows within 3 minutes. Scanning may be a precursor to exploits. However, network management and mapping tools often scan the network for discovery purposes and authorized scanners need to be blacklisted. P2P clients also exhibit this behavior when they attempt to establish connections to (non-existent) peers.

 Heavy UDP Host Scan On Fixed Port: Detects excessive number of UDP connections from the same source to many distinct destinations and on the same destination port in a short period of time. The threshold is 200 flows within 3 minutes. A fixed destination port may indicate that the scanning host is attempting to find hosts on a well known port (with a vulnerability). Scanning may be a precursor to exploits. However, network management and mapping tools often scan the network for discovery purposes and authorized scanners need to be blacklisted. P2P clients also exhibit this behavior when they attempt to establish connections to (non-existent) peers. Heavy UDP Port Scan: Single Host: Detects excessive UDP connections from the same source to many distinct ports on the same destination in a short period of time

Heavy UDP Port Scan: Multiple Hosts: Detects that a source is doing UDP port scans on multiple hosts. The thresholds are port scans on at least 5 hosts in 15 minute window

Heavy ICMP Ping sweep: Detects excessive number of ICMP echo request packets from the same source to many distinct destinations in a short period of time. Nachhi worm exploited pings to spread. The threshold is 50 pings within 3 minutes. Scanning may be a precursor to exploits. However, network management and mapping tools often scan the network for discovery purposes and authorized scanners need to be blacklisted.

Excessive ICMP Unreachables: Detects an usually high frequency of ICMP destination unreachable packets between the same source and destination – this indicates routing error

TCP DDOS Attack: Detects excessive number of half-open TCP connections from many distinct sources to the same destination host and on the same port in a short period of time. This may indicate that the destination server is under some sort of attack.

Excessive Denied Connections From Same Src: Detects excessive denies from the same source to many distinct destinations on the same port in a short period of time. The intent could be malicious or some sort of misconfiguration.

Excessive Denied Connections To Same Destination: Detects excessive denies from many distinct sources to the same destination on the same destination port

Multiple IPS Scans From Same Src: Detects multiple IPS scans from the same source IP in a short period of time.

Invalid TCP/UDP Port Traffic: Detects invalid TCP/UDP traffic with 0 port

Invalid TCP Flags – Medium Intensity: Detects moderate (e.g. 100 or more flows in 5 minutes) amount of traffic with invalid TCP flag combinations (NULL,FIN, SYN-FIN, SYN-FIN-PUSH, SYN-FIN-RESET, SYN-FIN-RESET-PUSH,SYN-FIN-RESET-PUSH-ACK-URG) may indcate scanning and probing activity from the sender

Invalid TCP Flags – High Intensity: Detects excessive (e.g. 500 or more flows in 5 minutes) amount of traffic with invalid TCP flag combinations (FIN, SYN-FIN, SYN-FIN-PUSH, SYN-FIN-RESET, SYN-FIN-RESET-PUSH,SYN-FIN-RESET-PUSH-ACK-URG) – may indicate scanning and probing activity from the sender

Excessive ICMP Traffic From Same Source: Detects excessive (e.g. more than 5000 in 5 minutes) ICMP traffic from the same source

 

Malware

Source: Antivirus, Security gateway, Host IPS, Network IPS, Firewall Log

Virus outbreak: Detects potential virus outbreak – same virus found on three distinct computers/IP addresses

Virus found but not remediated: Detects that host anti-virus or content inspection devices found a virus but could not remediate it Spyware found but not remediated: Detects that host anti-virus or content inspection devices found a spyware but could not remediate it

Spam/Malicious Mail Attachment found but not remediated:

Scanner found severe vulnerability:

Rootkit found:

Phishing attack found but not remediated:

Malware found but not remediated:

Denied Blacklisted Source:

Denied Blacklisted Destination:

Multiple Distinct IPS Events From Same Src:

Permitted Blacklisted Source:

Permitted Blacklisted Destination:

Source: External threat intelligence

Traffic to Zeus Blocked IP List:

Traffic to Emerging Threat Spamhaus List:

Traffic to Emerging Threat Shadow server List:

Traffic to Emerging Threat RBN List:

Traffic to Emerging Threat Dshield List:

Permitted traffic from Emerging Threat Spamhaus List:

Permitted Traffic from Zeus Blocked IP List:

Permitted Traffic from Emerging Threat Shadow server List:

Permitted Traffic from Emerging Threat RBN List:

Permitted Traffic from Emerging Threat Dshield List:

DNS Traffic to Malware Domains:

Adware process found:

Traffic to bogon networks:

Source: Network Traffic Analysis

Excessive End User Mail: Detects a scenario where a host, that is itself not an authorized mail gateway, is sending excessive emails (more than 20 emails in 2 minutes). This behavior may indicate malware running on an end host that is trying to send spam or privileged information to its own set of mail servers (which may be compromised).

Excessive Denied End User Mail To Unauthorized Mail Gateways: Detects a scenario where a host, that is itself not an authorized mail gateway, is unsuccessfully trying to send excessive emails to unauthorized mail gateways. Authorized mail gateways are represented by the “Mail Gateway” group. Such requests would be typically denied because, either the firewall would block SMTP from end hosts and/or mail gateways only receive mail from other authorized mail gateways. This behavior may indicate malware running on an end host that is trying to send spam or privileged information to its own set of mail servers (which may be compromised).  End User DNS Queries to Unauthorized DNS Servers: Detects a scenario where a host, that is itself not a DNS server, is trying to send DNS requests to unauthorized DNS servers. Authorized DNS servers are represented by the “DNS Server” group. In a typical scenario, end hosts always send DNS requests to authorized DNS servers which in turn communicate to other DNS servers – so this behavior may indicate malware running on the end host.

Excessive End User DNS Queries: Detects a scenario where a host, that is itself not an DNS server, is sending excessive DNS requests. Authorized DNS servers are represented by the “DNS Server” group. In a typical scenario, the frequency of end host DNS requests is not high unless, there is a script running – this might indicate the presence of malware on the end host.

Excessive Denied DNS Queries: Detects a scenario where a host, has a very high frequency of denied DNS traffic.

Excessive Uncommon DNS Queries: Detects the same host that is not a DNS server, doing an excessive amount of uncommon domain name queries – this indicates the host is likely infected with malware. An end host typically needs to perform only A and PTR queries; any other query inidicates the likely presence of malware.

Excessive Repeated DNS Queries To Same Domain: Detects an usually high frequency of DNS name resolution queries from the same host to the same domain name in a short period of time. This is not expected behavior since, in a typical scenario, the domain name resolution is cached at the end point. Repeated queries indicates that a special DNS client is likely running at the end host that is trying to make use of fast flux techniques to get back many infected hosts behind a crafted domain name.

Excessive Malware Domain Name Queries: Detects bad domain name queries which indicate malware infected end hosts.

 

Suspicious Botnet like End host DNS Behavior: Detects an end host meeting at least 3 requirements for suspicious use of DNS requests – this indicates that a bot is likely running on the end host

Unusually Large ICMP Echo Packets: Detects large (> 200 bytes/pkt) ICMP echo request and response packets – this is unusual since ICMP packets carry minimal information and are small in size. THis may indicate that some other traffic is being carried over ICMP protocol.

Unusual ICMP Traffic:

Explicit Security Issues

SQL Injection Attack detected by NIPS:

High Severity Non-Cisco IPS Exploit:

High Severity Inbound Permitted IPS Exploit:

High Severity Inbound Denied Security Exploit:

High Risk Rating Cisco IPS Exploit:

Excessive WLAN Exploits: Same Source:

Excessive WLAN Exploits:

DoS Attack detected by NIPS:

Distributed DoS Attack detected by NIPS:

Layer 2 Switch Port Security Violation:

Policy violations

Firewall Perimeter Policy

Outbound cleartext password usage detected:

Inbound cleartext password usage detected:

VNC from Internet:

Remote Desktop from Internet:

Large Outbound Transfer:

Large Outbound Transfer To Outside My Country:

Large Inbound Transfer From Outside My Country:

External website access policy

Inappropriate Website access: Multiple categories:

Inappropriate Website access: High volume:

Inappropriate Website access:

Internal website access policy

Executable file posting from external source:

Excessive HTTP Client Side Errors:

Excessive FTP Client Side Errors:

Change control policy

 Windows Audit Log Cleared:

Windows Audit Disabled:

WLAN policy

Rogue or Unsecure AP Detected:

Excessive Rogue or Unsecure APs Detected:

Wireless Host Blacklisted:

VPN policy

 Long lasting VPN session:

High throughput  VPN session:

Suspicious Traffic

 Tunneled traffic detected: IRC traffic detected:

P2P traffic consuming high network bandwidth:

 

Access Control Reports

Network Device Access

Failed Router Admin Logons: Details about failed router administrative logons

Successful Router Admin Logons: Details about successful router administrative logons

Failed Firewall Admin Logons: Details about failed firewall administrative logons

Successful Firewall Admin Logons: Details about successful firewall administrative logons

Failed VPN Admin Logon: Provides event details for all failed VPN admin logons

Successful VPN Admin Logon: Provides event details for all successful VPN admin logons

Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller

Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller

Network Access

Top Users Ranked By Successful VPN Logon: Ranks the VPN Gateways and their users by the number of successful VPN logons.

Top VPN Gateways Ranked By Distinct Users: Ranks the VPN Gateways by the total number of distinct user logons

Top VPN Users Ranked By Failed VPN Logons: Ranks the VPN Gateways and their users by the number of failed VPN logons.

Wireless Logon Failure Details: Provides details of wireless logon authentication failures

Top Wireless Controllers, Users By Failed Logon Count: Ranks wireless controllers by the total number of failed logons

Top Windows Domain Controllers, Users By Successful Domain Authentication Count: Ranks the Windows Domain Controllers and their users by the number of successful domain authentications

Top Windows Domain Controllers, Users By Failed Domain Authentication Count: Ranks the Windows Domain Controllers and the users by the number of failed authentications

Windows Domain Account Lockouts: Details windows domain account lockouts

Remote Desktop Connections to Domain Controller: Details successful remote desktop connections

Privileged Domain Controller Logon Attempts using the Administrator Account: Ranks the windows servers and their users by the number of failed logons using the administrator account

Failed Authentication Server Logons: Captures failed AAA Server Logons

Successful Authentication Server Logons: Captures successful AAA Server Logons

Server Access

Top Unix Servers, Users By Successful Logon Count: This report ranks the UNIX servers and their users by successful logon count

Top Unix Servers, Users By Failed Logon Count: This report ranks the UNIX servers and their users by failed logon count

Top Unix Servers, Users By Successful Privilege Escalation Count: This report ranks the UNIX servers and their users by successful privilege escalations (su) count

Top Unix Servers, Users By Failed Privilege Escalation Count: This report ranks the UNIX servers and their users by failed privilege escalations (su) count

Top Windows Servers, Users By Successful Logon Count: Ranks the Windows Servers and their users by the number of successful logons

Top Windows Servers, Users By Failed Logon Count: Ranks the Windows Servers and the users by the number of failed authentications

Windows Server Account Lockouts: Details windows server lockouts

Windows Server Account Unlocks: Captures account unlocks on windows servers. Account unlocks happen after lockouts that may happen on repeated login failures

Remote Desktop Connections to Windows Servers: Details successful remote desktop connections

Privileged Server Logon Attempts using the Administrator Account: Ranks the windows servers and their users by the number of failed logons using the administrator account

Application Access

Top FTP Clients By Unauthorized Access Error Count: Ranks FTP servers and their clients by the total number of unauthorized access error count

Top Web Visitors By Unauthorized Access Error Count: Ranks web servers and visitors by the total number of unauthorized access error count

Top Users By Successful Database Server Logons: Ranks database users by the number of successful logons

Top Users By Failed Database Server Logons: Ranks database users by the number of failed logons

Malware Reports

Virus found and remediated Captures events that indicate the viruses found and remediated – the events could be from Host Anti-virus or Network Security Gateways

Virus found but not remediated Captures events that indicate viruses found but failed to remedy – the events could be from Host Anti-virus or Network Security Gateways

Spyware found and remediated Captures events that indicate spyware was found and remediated on a host – the events could be from Host Anti-virus or Network Security Gateways

Spyware found but not remediated Captures events that indicate spyware was found but the detecting software failed to remediated the vulnerability – the events could be from Host Anti-virus or Network Security Gateways

Spam/Malicious Mail Attachment found and remediated Captures events that indicate spam or mailicious mail attachments were found and remediated on a host – the events could be from Host Anti-virus or Network Security Gateways

Spam/Malicious Mail Attachment found but not remediated Captures events that indicate spyware was found but the detecting software did not remediated the vulnerability

Phishing attempt found and remediated Captures events that indicate phishing attempt

Top IPs with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways

Top Computers with Malware Found By Antivirus and Security Gateways: Tracks computers with Malware as found by Host Anti-virus and Security Gateways

Top IPs with Malware Found By IPS and Firewalls: Tracks IP addresses with Malware as found by IPS – these are somewhat less reliable than Host Anti-virus and Security Gateways

Top IPs with Malware Found By Security Gateways: Tracks IP addresses with Malware as found by Security Gateways

Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities. Host Vulnerabilities discovered: Tracks vulnerabilities discovered on a host

Other Security Issues

Top Network IPS events By Severity, Count: Ranks the network IPS events by count

Top Network Scanners By Event Count: Ranks the source IP addresses by detected network scan or reconnaissance events

Top Blocked Network Attacks By Count: Ranks the network attacks attacks blocked by network IPS

Rogue APs detected: Lists the rogue APs

Rogue AP Detection Details: Provides details of rogue AP events

Top WLAN IDS Alerts: Ranks WLAN IDS alerts

Multiple Distinct IPS Events From Same Src: Detects multiple IPS events from the same source IP in a short period of time – the source IP may have been infected

Multiple IPS Scans From Same Src: Detects multiple IPS scans from the same source IP in a short period of time.

High Risk Rating Cisco IPS Exploit: Detects a high risk rating IPS exploit event. This is applicable for Cisco IPS.

High Severity IPS Exploit: Detects a high severity IPS exploit detected by non-Cisco IPS

High Severity Security Exploit: Detects a high severity security exploit detected by non IPS devices

Network Traffic Analysis

Top Conversations By Bytes: Ranks the top conversations by total bytes. A conversation includes Source IP, Destination IP, Protocol and Destination Port.

Top Conversations By Bytes: Detailed View Ranks the top conversations by total bytes but also provides, sent Bytes and received Bytes as additional information. A conversation includes Source IP, Destination IP, Protocol and Destination Port.

Top Source IPs By Bytes Ranks the top source IPs by bytes

Top Source IPs By Bytes: Detailed View Ranks the top source IPs and destination ports by bytes

Top Destination IPs By Bytes Ranks the top destination IPs by bytes

Top Destination IPs By Bytes: Detailed View Ranks the top destination IPs and ports by bytes

Top Protocols By Bytes: Ranks the top protocols and destination ports by bytes

Top Protocols By Bytes: Detailed View: Ranks the top protocol and destination ports by bytes Top Router Link Usage By Bytes Ranks the top router link usage by bytes

 

FortiSIEM Availability Related Rules and Reports

$
0
0
Availability Related Rules and Reports
AccelOps Availability Rules

System component issues

System Collector Down: Detects that collector is down

System Collector Event Delayed: Detects that collector has not sent an event to AccelOps cloud for more than 10 minutes System Worker Down: Detects that system worker is down License Issues

System License Warning: High Event Rate: Detects that the system is receiving events at a rate that is higher than the license limit.

Events beyond the license limit would be dropped unless the license is upgraded

System License Warning: High Config Items: Detects that the number of CMDB configuration items is close to the license limit additonal configuration items would not be stored unless the license is upgraded.

Notification issues

Scheduled Report Send Error: Detects that system has failed to deliver a scheduled report

Incident Notification Error: Detects that system has failed to take notification action on an incident

Large Supervisor JMS Request Queue: Detects that Supervisor JMS Request queue is very large

Large Supervisor JMS System Queue: Detects that Supervisor JMS System queue is very large

Data collection errors

WMI Service Unavailable: Detects that WMI service is unavailable

SNMP Service Unavailable: Detects that SNMP service is unavailable

Performance Monitoring Error: Detects that the system failed to monitor a performance monitoring metric

No Events Reported In Last Hour: Detects that a reporting device that reported events (logs etc) in the last hour did not report any events this hour. This does not include monitoring events (like CPU, Memory etc). This indicates that there is a problem in the network or at the reporting device.

Large Worker Input Event Queue: Detects that Worker input event queue is very large (greater than 100MB). This indicates that the workers are falling behind in handling events and cannot keep pace with the rate at which workers are sending events. Consider ading more workers or adding resources to workers.

Large Worker Input SVN Queue: Detects that Worker input SVN queue is very large (greater than 100MB). This indicates that the workers are falling behind in handling SVN files from collectors or from the parser modules. Check the SVN installation. Event Storage/Archiving/Purging issues

FortiOS 5.4.5 Release Notes

$
0
0

Change Log

Date Change Description
2017-06-08 Initial release of FortiOS 5.4.5.
2017-06-09 Added 403937 to Resolved Issues.

Updated Upgrade Information > Upgrading to FortiOS 5.6.0.

Updated 435124 in Known Issues.

2017-06-13 Removed 416678 from Known Issues.

Added 398052 to Resolved Issues.

Added FGT-140 and FGT-140-POE to Introduction > Supported models > Special branch supported models.

2017-06-15 Added 399711, 421739, and 423452 to Resolved Issues.
2017-06-26 Added 389863 to Resolved Issues.
2017-06-30 Removed 374501 from Resolved Issues since that was resolved in 5.4.4.

In Product Integration and Support section, updated FortiClient support to 5.4.1 and later.

2017-07-12 Added 424215 to Known Issues.

Introduction

This document provides the following information for FortiOS 5.4.5 build 1138:

FortiGate FG-30D, FG-30E, FG-30D-POE, FG-50E, FG-51E, FG-60D, FG-60D-POE, FG-70D,

FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D, FG-90D-POE, FG-92D, FG94D-POE, FG-98D-POE, FG-100D, FG-140D, FG-140D-POE, FG- 200D, FG-200DPOE, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-400D, FG-500D, FG-

600C, FG-600D, FG-800C, FG-800D, FG-900D, FG-1000C, FG-1000D, FG-1200D,

FG-1500D, FG-1500DT, FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C,

FG-3700D, FG-3700DX, FG-3800D, FG-3810D, FG-3815D, FG-5001C, FG-5001D

FortiWiFi FWF-30D, FWF-30E, FWF-30D-POE, FWF-50E, FWF-51E, FWF-60D, FWF-60D-POE, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE
FortiGate Rugged FGR-60D, FGR-90D
FortiGate VM FG-SVM, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN

FortiOS 5.4.5 supports the additional CPU cores through a license update on the following VM models:

l     VMware 16, 32, unlimited l KVM 16

l     Hyper-V 16, 32, unlimited

Pay-as-you-go images FOS-VM64, FOS-VM64-KVM
FortiOS Carrier FortiOS Carrier 5.4.5 images are delivered upon request and are not available on the customer support firmware download page.

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

See the Fortinet Document Library for FortiOS documentation.

Supported models

FortiOS 5.4.5 supports the following models.

Introduction                                                                                                                              Supported models

Special branch supported models

The following models are released on a special branch of FortiOS 5.4.5. To confirm that you are running the correct build, run the CLI command get system status and check that the Branch point field shows 1138.

FGR-30D is released on build 7662.
FGR-35D is released on build 7662.
FGR-30D-A is released on build 7662.
FGT-30E-MI is released on build 6229.
FGT-30E-MN is released on build 6229.
FWF-30E-MI is released on build 6229.
FWF-30E-MN is released on build 6229.
FWF-50E-2R is released on build 7657.
FGT-52E is released on build 6226.
FGT-60E is released on build 6225.
FWF-60E is released on build 6225.
FGT-61E is released on build 6225.
FWF-61E is released on build 6225.
FGT-80E is released on build 6225.
FGT-80E-POE is released on build 6225.
FGT-81E is released on build 6225.
FGT-81E-POE is released on build 6225.
FGT-90E is released on build 6230.
FGT-90E-POE is released on build 6230.
FGT-91E is released on build 6230.
FWF-92D is released on build 7660.
FGT-100E is released on build 6225.

 

What’s new in FortiOS 5.4.5                                                                                                                Introduction

FGT-100EF is released on build 6225.
FGT-101E is released on build 6225.
FGT-140E is released on build 6257.
FGT-140E-POE is released on build 6257.
FGT-200E is released on build 6228.
FGT-201E is released on build 6228.
FGT-2000E is released on build 6227.
FGT-2500E is released on build 6227.

What’s new in FortiOS 5.4.5

For a detailed list of new features and enhancements that have been made in FortiOS 5.4.5, see the What’s New forFortiOS 5.4.5 document available in the Fortinet Document Library.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

Default log setting change

For FG-5000 blades, log disk is disabled by default. It can only be enabled via CLI. For all 2U & 3U models (FG-3600/FG-3700/FG-3800), log disk is also disabled by default. For all 1U models and desktop models that supports SATA disk, log disk is enabled by default.

FortiAnalyzer Support

In version 5.4, encrypting logs between FortiGate and FortiAnalyzer is handled via SSL encryption. The IPsec option is no longer available and users should reconfigure in GUI or CLI to select the SSL encryption option as needed.

Removed SSL/HTTPS/SMTPS/IMAPS/POP3S

SSL/HTTPS/SMTPS/IMAPS/POP3S options were removed from server-load-balance on low end models below FG-100D except FG-80C and FG-80CM.

FortiGate and FortiWiFi-92D Hardware Limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

  • PPPoE failing, HA failing to form l IPv6 packets being dropped l FortiSwitch devices failing to be discovered
  • Spanning tree loops may result depending on the network topology

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config system global set hw-switch-ether-filter <enable | disable>

FG-900D and FG-1000D                                                                                                               Special Notices

When the command is enabled:

  • ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed l BPDUs are dropped and therefore no STP loop results l PPPoE packets are dropped l IPv6 packets are dropped l FortiSwitch devices are not discovered l HA may fail to form depending the network topology

When the command is disabled:

  • All packet types are allowed, but depending on the network topology, an STP loop may result

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FG-3700DX

CAPWAP Tunnel over the GRE tunnel (CAPWAP + TP2 card) is not supported.

FortiGate units managed by FortiManager 5.0 or 5.2

Any FortiGate unit managed by FortiManager 5.0.0 or 5.2.0 may report installation failures on newly created VDOMs, or after a factory reset of the FortiGate unit even after a retrieve and re-import policy.

FortiClient Support

Only FortiClient 5.4.1 and later is supported with FortiOS 5.4.1 and later. Upgrade managed FortiClients to 5.4.1 or later before upgrading FortiGate to 5.4.1 or later.

Consider the FortiClient license before upgrading. Full featured FortiClient 5.2 and 5.4 licenses will carry over into FortiOS 5.4.1 and later. Depending on your organization’s needs, you might need to purchase a FortiClient EMS license for endpoint provisioning. Contact your sales representative for guidance on the appropriate licensing for your organization.

The perpetual FortiClient 5.0 license (including the 5.2 limited feature upgrade) will not carry over into FortiOS 5.4.1 and later. You need to purchase a new license for either FortiClient EMS or FortiGate. A license is compatible with 5.4.1 and later if the SKU begins with FC-10-C010.

 

Special Notices                                                                                FortiClient (Mac OS X) SSL VPN Requirements

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.5, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

FortiClient Profile Changes

With introduction of the Cooperative Security Fabric in FortiOS, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

In the FortiClient profile on FortiGate, when you set the Non-Compliance Action setting to Auto-Update, the

FortiClient profile supports limited provisioning for FortiClient features related to compliance, such as AntiVirus,

Web Filter, Vulnerability Scan, and Application Firewall. When you set the Non-Compliance Action setting to Block or Warn, you can also use FortiClient EMS to provision endpoints, if they require additional other features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security

Profiles.

When you upgrade to FortiOS 5.4.1 and later, the FortiClient provisioning capability will no longer be available in FortiClient profiles on FortiGate. FortiGate will be used for endpoint compliance and Cooperative Security Fabric integration, and FortiClient Enterprise Management Server (EMS) should be used for creating custom FortiClient installers as well as deploying and provisioning FortiClient on endpoints. For more information on licensing of EMS, contact your sales representative.

FortiPresence

FortiPresence users must change the FortiGate web administration TLS version in order to allow the connections on all versions of TLS. Use the following CLI command.

config system global set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2

end

Log Disk Usage

Users are able to toggle disk usage between Logging and WAN Optimization for single disk FortiGates.

To view a list of supported FortiGate models, refer to the FortiOS 5.4.0 Feature Platform Matrix.

SSL VPN setting page                                                                                                                   Special Notices

SSL VPN setting page

The default server certificate has been changed to the Fortinet_Factory option. This excludes FortiGateVMs which remain at the self-signed option. For details on importing a CA signed certificate, please see the How to purchase and import a signed SSL certificate document.

FG-30E-3G4G and FWF-30E-3G4G MODEM Firmware Upgrade

The 3G4G MODEM firmware on the FG-30E-3G4G and FWF-30E-3G4G models may require updating. Upgrade instructions and the MODEM firmware have been uploaded to the Fortinet CustomerService & Support site.

Log in and go to Download > Firmware. In the Select Product list, select FortiGate, and click the Download tab. The upgrade instructions are in the following directory:

…/FortiGate/v5.00/5.4/Sierra-Wireless-3G4G-MODEM-Upgrade/

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

Upgrade Information

Upgrading to FortiOS 5.4.5

FortiOS version 5.4.5 officially supports upgrading from version 5.4.3 and later and 5.2.9 and later.

When upgrading from a firmware version beyond those mentioned in the Release Notes, a recommended guide for navigating the upgrade path can be found on the Fortinet documentation site.

There is a separate version of the guide describing the safest upgrade path to the latest patch of each of the supported versions of the firmware. To upgrade to this build, go to FortiOS 5.4 Supported Upgrade Paths.

Upgrading to FortiOS 5.6.0

Cooperative Security Fabric Upgrade

FortiOS 5.4.1 and later greatly increases the interoperability between other Fortinet products. This includes:

  • FortiClient 5.4.1 and later l FortiClient EMS 1.0.1 and later l FortiAP 5.4.1 and later l FortiSwitch 3.4.2 and later

The upgrade of the firmware for each product must be completed in a precise order so the network connectivity is maintained without the need of manual steps. Customers must read the following two documents prior to upgrading any product in their network:

  • Cooperative Security Fabric – Upgrade Guide
  • FortiOS 5.4.x Upgrade Guide for Managed FortiSwitch Devices

This document is available in the Customer Support Firmware Images download directory for FortiSwitch 3.4.2.

FortiGate-VM 5.4 for VMware ESXi                                                                                          Upgrade Information

FortiGate-VM 5.4 for VMware ESXi

Upon upgrading to FortiOS 5.4.5, FortiGate-VM v5.4 for VMware ESXi (all models), no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles

When downgrading from 5.4 to 5.2, users will need to reformat the log disk.

Amazon AWS Enhanced Networking Compatibility Issue

Due to this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.4.1 or later image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

Downgrading to older versions from 5.4.1 or later running the enhanced nic driver is not allowed. The following AWS instances are affected:

  • C3 l C4 l R3 l I2
  • M4 l D2

 

Upgrade Information                                                                                                            FortiGate VM firmware

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
  • .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

  • .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

  • .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
  • .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support

FortiOS 5.4.5 support

The following table lists 5.4.5 product integration and support information:

Web Browsers l Microsoft Edge 38 l Microsoft Internet Explorer 11 l Mozilla Firefox version 53 l Google Chrome version 58 l Apple Safari version 9.1 (For Mac OS X)

Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 40 l Microsoft Internet Explorer 11 l Mozilla Firefox version 53 l Apple Safari version 10 (For Mac OS X) l Google Chrome version 58

Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager For the latest information, see the FortiManagerand FortiOS Compatibility.

You should upgrade your FortiManager prior to upgrading the FortiGate.

FortiAnalyzer For the latest information, see the FortiAnalyzerand FortiOS Compatibility.

You should upgrade your FortiAnalyzer prior to upgrading the FortiGate.

FortiClient Microsoft

Windows and FortiClient

Mac OS X

l 5.4.1 and later

If FortiClient is being managed by a FortiGate, you must upgrade FortiClient before upgrading the FortiGate.

FortiClient iOS l 5.4.1 and later
FortiClient Android and FortiClient VPN Android l 5.4.0 and later

FortiOS 5.4.5

FortiAP l 5.4.1 and later l 5.2.5 and later

Before upgrading FortiAP units, verify that you are running the current recommended FortiAP version. To do this in the GUI, go to the WiFi Controller> Managed Access Points > Managed FortiAP. If your FortiAP is not running the recommended version, the OS Version column displays the message: A recommended update is available.

FortiAP-S l 5.4.1 and later
FortiSwitch OS

(FortiLink support)

l 3.5.0 and later
FortiController l 5.2.0 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C l 5.0.3 and later

Supported model: FCTL-5103B

FortiSandbox l 2.1.0 and later l 1.4.0 and later
Fortinet Single Sign-On (FSSO) l  5.0 build 0256 and later (needed for FSSO agent support OU in group filters)

l  Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard l Windows Server 2012 R2 Standard l Novell eDirectory 8.8

l  4.3 build 0164 (contact Support for download) l Windows Server 2003 R2 (32-bit and 64-bit) l Windows Server 2008 (32-bit and 64-bit) l Windows Server 2008 R2 64-bit l Windows Server 2012 Standard Edition l Windows Server 2012 R2 l Novell eDirectory 8.8

FSSO does not currently support IPv6.

FortiExplorer l 2.6.0 and later.

Some FortiGate models may be supported on specific FortiExplorer versions.

 

FortiOS 5.4.5 support                                                                                             Product Integration and Support

FortiExplorer iOS l 1.0.6 and later

Some FortiGate models may be supported on specific FortiExplorer iOS versions.

FortiExtender l 3.0.0 l 2.0.2 and later
AV Engine l 5.247
IPS Engine l 3.311
Virtualization Environments
Citrix l XenServer version 5.6 Service Pack 2 l XenServer version 6.0 and later
Linux KVM l RHEL 7.1/Ubuntu 12.04 and later l CentOS 6.4 (qemu 0.12.1) and later
Microsoft l Hyper-V Server 2008 R2, 2012, 2012 R2, and 2016
Open Source l XenServer version 3.4.3 l XenServer version 4.1 and later
VMware l  ESX versions 4.0 and 4.1

l  ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, and 6.5

VM Series – SR-IOV The following NIC chipset cards are supported:

l Intel 82599 l Intel X540 l Intel X710/XL710

Language

Language support

The following table lists language support information.

Language support

Language GUI
English
Chinese (Simplified)
Chinese (Traditional)
French
Japanese
Korean
Portuguese (Brazil)
Spanish (Spain)

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer
Linux CentOS 6.5 / 7 (32-bit & 64-bit)

Linux Ubuntu 16.04

2333. Download from the Fortinet Developer Network https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN support                                                                                                  Product Integration and Support

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Product Antivirus Firewall
Symantec Endpoint Protection 11

Supported operating systems and web browsers

Operating System Web Browser
Microsoft Windows 7 SP1 (32-bit & 64-bit)

Microsoft Windows 8 / 8.1 (32-bit & 64-bit)

Microsoft Internet Explorer version 11

Mozilla Firefox version 53

Google Chrome version 58

Microsoft Windows 10 (64-bit) Microsoft Edge

Microsoft Internet Explorer version 11

Mozilla Firefox version 53

Google Chrome version 58

Linux CentOS 6.5 / 7 (32-bit & 64-bit) Mozilla Firefox version 53
Mac OS 10.11.1 Apple Safari version 9

Mozilla Firefox version 53

Google Chrome version 58

iOS Apple Safari

Mozilla Firefox

Google Chrome

Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

SSL VPN

Product Antivirus Firewall
Kaspersky Antivirus 2009
McAfee Security Center 8.1
Trend Micro Internet Security Pro
F-Secure Internet Security 2009

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product Antivirus Firewall
CA Internet Security Suite Plus Software
AVG Internet Security 2011
F-Secure Internet Security 2011
Kaspersky Internet Security 2011
McAfee Internet Security 2011
Norton 360™ Version 4.0
Norton™ Internet Security 2011
Panda Internet Security 2011
Sophos Security Suite
Trend Micro Titanium Internet Security
ZoneAlarm Security Suite
Symantec Endpoint Protection Small Business Edition 12.0

 

Resolved Issues

The following issues have been fixed in version 5.4.5. For inquires about a particular bug, please contact CustomerService & Support.

AntiVirus

Bug ID Description
392200 Encrypted archive log is generated even though the function archive-log in antivirus profile is unset.

DLP

Bug ID Description
379911 DLP filter order is not applied to encrypted files.

Firewall

Bug ID Description
304276 Policy real time view shows incorrect statistic in session offload to np6.
378482 TCP/UDP traffic fais when NAT/UTM is enabled on FGT-VM in KVM.
395241 After IPS is enabled on LB-VIP policy, this message displays: ipsapp session open failed: all providers busy.
402158 Some policy settings are not installed in complex sessions.
416111 FQDN address is unresolved in a VDOM although the URL is resolved with IP.

GUI

Bug ID Description
283682 Cannot delete FSSO-polling AD group from LDAP list tree window in FSSO-user GUI.
356998 urlfilter list re-order on GUI does not work.
371149 30D GUI should support FortiSwitch controller feature when CLI supports it.
372898 User group name should escape XSS script at UserGroups page.
Bug ID Description
374166 Using Edge cannot select the firewall address when configuring a static route.
374350 Field pre-shared key may be unavailable when editing the IPsec dialup tunnel created through the VPN wizard.
378428 FortiGate logs a connection of category deny (red sign) even though traffic is allowed through policy.
379331 DHCP Monitor page does not fully display the page selector pane.
384532 Cannot set IPsec vpn xauth user group inherit from policy in GUI when setting xauthtype auto server.
385482 Webui loads indefinitely when accessing a none access webpage from custom admin profile.
386285 GUI Wizard fails to create FortiClient Dialup IPsec VPN if HA is enabled.
386849 When editing IPsec tunnel, Accessible Networks field cannot load if there is nested address group.
387640 Duplicate entry found when auto generate guest user.
388454 GUI failures when FSSO group contains an apostrophe.
394067 Improve displaying the warning: File System Check Recommended.
395711 pyfcgid takes 100% of CPU when managed switch page displayed.
396430 CSRF token is disclosed in several URLs.
401247 Cannot nest service group within another service group through GUI.
409104 Fix virtual-wire wildcard VLANs not handling u-turn traffic properly.
421918 HTTPSD debug improvement.

HA

Bug ID Description
373200 Quick failover occurs when enabling portmonitor.
382798 Master unit delay in sending heartbeat packet.
386434 HA configuration and VLAN interface disappear from config after reboot.
Bug ID Description
396938 Reboot of FGT HA cluster member with redundant HA management interface deletes HA configuration.
397171 FIB of VDOMs in vcluster2 is not synced to the slave.
404736 SCTP synchronized sessions in HA cluster, when one reboots the master, the traffic is interrupted.
404874 Some commands for HA in diag debug report and exec tac report need to be updated.
408167 Heartbeat packets broadcast out of ports not configured as HB ports, even though the HB ports are directly connected.
Bug ID Description
377255 Can’t read UTM details on log panel when set location to FortiAnalyzer.
377733 Results/Deny All filter does not return all required/expected data.

IPsec VPN

Bug ID Description
356330 Cross NP6-Chip IPsec traffic does not work in SLBC environment.
374326 Accept type: Any peerID may be unavailable when creating a IPsec dialup tunnel with a pre-shared key and ikev1 in main mode.
386802 Unable to establish phase 2 when using address group/group object as quick mode selectors.
392097 3DES encryption susceptible to Sweet32 attack.
395044 OSPF over IPsec IKEv2 with dialup tunnel does not work as for IKEv1.
397386 Slave worker blades attempt to establish site to site IPsec VPN tunnel.
409050 unregister_netdevice messages appears on console when CAPWAP message is transmitted over IPsec tunnel.
411682 ADVPN failover does not update rtcache entry.
412987 IPsec VPN certificate not validated against PKI user’s CN and Subject.

Logging & Report

Bug ID Description
386742 Missing deny traffic log when user traffic is blocked by NAC quarantine.
397702 Add kernel related log messages for protocol attacks.
397714 Need a fill log disk utility to assist with CC testing.
398802 Forward traffic log shows dstintf=unknown-0 after enabling antivirus.
401511 FortiGate Local Report showing incorrect Malware Victims and Malware Sources.
402712 Username truncated in Webfilter & DLP logs.
406071 DNS filtering shows error: all Fortiguard SDNS servers failed to respond.
417128 Syslog message are missed in Fortigate.
421062 FortiGate 60E stopped sending logs to FortiAnalyzer when reliable enabled.

Router

Bug ID Description
373892 ECMP(BGP) routing failover time.
374306 Number of concurrent sessions affect the convergence time after HA failover.
383013 Message ha_fib_rtnl_hdl: msg truncated, increase buf size showing up on console.
385264 AS-override has not been applied in multihop AS path condition.
392250 BGP session not establishing with Cisco Nexus.
393623 Policy routing change not is not reflected.
397087 VRIP cannot be reached on 51E when it is acting as VRRP master.
399415 Local destined IPv6 traffic matched by PBR.
405408 FortiGate creates corrupted OSPF LS Update packet when certain number of networks is propagated.
421151 ICMP redirect received in root affects another VDOM’s route gateway selection.

SSL VPN

Bug ID Description
370986 SSL VPN LDAP user password renew doesn’t work when two factor authentication is enabled.
375827 SSL VPN web mode get Access denied to FOS 5.4.1 GA B1064 under VDOM.
375894 SSL VPN web mode access FMG B1066/FAZ B1066 error.
387276 SSL VPN should support Windows 10 OS check.
389566 “AltGr” key does not work when connecting to RDP-TLS server through SSL VPN web portal from IE 11.
394272 SSL VPN proxy mode can’t proxy some web server URL normally.
395497 https-redirect for SSL VPN does not support realms.
396932 Some web sites not working over web SSL VPN.
399711 SSL VPN does not decode hostcheck string properly for latest FortiClient.
399784 URL modified incorrectly for a dropdown in application server.
402743 User peer causes SSL VPN access failure even though user group has no user peer.
405799 AV breaks login to OWA via SSL VPN web mode.
406028 Citrix with Xenapp 7.x not working via SSL VPN web portal.
408624 SSL VPN certificate UPN+LDAP authentication works only on first policy.
423452 Citrix Xenapp not working properly via SSL VPN web portal.

System

Bug ID Description
182287 Implementation for check_daemon_enable() is not efficient.
283952 VLAN interface Rx bytes statistics higher than underlying aggregate interface.
302722 Using CLI #get system hardware status makes CLI hang.
306041 SSH error Broken pipe on client when using remote forwarding and SSH deep packet option log port fwd is enabled.

 

Bug ID Description
354490 False positive sensor alarms in Event log.
355256 After reassigning a hardware switch to a TP-mode VDOM, bridge table does not learn MAC addresses until after a reboot.
375798 Multihoming SCTP sessions are not correctly offloaded.
376423 Sniffer is not able to capture ICMPv6 packets with Hop-by-Hop option when using filter icmp6.
377192 DHCP request after lease expires is sent with former unicast IP instead of 0.0.0.0 as source.
378364 L2TP over IPsec tunnel cannot be established in FortiGate VM.
379883 Link-monitor doesn’t remove the route when it is in “die” state.
381363 Empty username with Radius 802.1x WSSO authentication.
382657 ICMP Packets bigger than 1418 bytes are dropped when offloading for IPsec tunnel is enabled.

Affected models: FG-30D, FG-60D, FG-70D, FG-90D, FG-90D-POE, FG-94D, FG-98D, FG-200D, FG-200D-POE, FG-240D, FG-240D-POE, FG-280D-POE, FWF-30D, FWF-60D, FWF-90D, FWF-90D-POE.

383126 50E/51E TP mode – STP BPDU forwarding destined to 01:80:c2:00:00:00 has stopped after warm/cold reboot.
385455 Inconsistent trusted host behavior.
385903 Changing allowedaccess on FG-200D hardware switch interfaces causes hard-switch to stop functioning.
386271 On FWF-90D after enabling IPS sensor with custom sig, in 60% chance need to wait for 30+ seconds to let ping packet pass.
386395 Missing admin name in system event log related to admin NAC quarantine.
388971 Insufficient guard queue size when sending files to FSA.
389407 High memory usage for radvd process.
389711 Suggest asic_pkts/asic_bytes counter in diagnose firewall iprope show should remain after FortiGate reboot.
391168 Delayed Gratuitous ARP during SLBC Chassis Fail-back.
391460 FortiGuard Filtering Services Availability check is forever loading.

 

Bug ID Description
392655 Conserve mode – 4096 SLAB leak suspected.
393275 VDOM admin forced change password while there is other login session gets The name is a reserved keyword by the system.
393343 Remove botnet filter option if interface role is set to LAN.
394775 GUI not behaving properly after successful upload of FTK200CD file.
395039 Loopback interface: Debug Flow and logs do not show the usage of firewall policy ID.
396018 Backup slave member of a redundant interface accept and process incoming traffic.
397984 SLBC – FIB sync may fail if there is a large routing table update.
398852 UDP jumbo frames arrives fragmented on a 3600C are blocked when acceleration is enabled.
399364 VDOM config restore fails for GRE interface bound to IPsec VPN interface.
399648 LAN ports status is up after reboot even if administrative status is down on FG-30D.
400907 Ethernet Ports Activity LED doesn’t light for shared copper ports.
401360 LDAP group query failed when the fixed length buffer overflows.
402742 VDOM list page does not load.
403532 FG-100D respond fragmented ICMP request with non-fragmented reply right after factory reset.
403724 Real number of FortiToken supported doesn’t match tablesize on some platforms.
403937 High memory on VSD.
404258 L2TP second user cannot connect to FG-600D via a router (NAPT).
404480 Link-monitor is not detecting the server once it becomes available.
405234 Unable to load application control replacement message logo and image in explicit proxy (HTTPS).
405757 Interface link not coming up when FortiGate interface is set to 1000full.
406071 DNS Filtering showing error all Fortiguard SDNS servers failed to respond.
Bug ID Description
406519 Administrative users assigned to prof_admin profile do not have access to diagnose CLI command.
406689 Autoupdate schedule time is reset after rebooting.
406972 Device become unresponsive for 30 min. during IPS update when cfg-save option is set to manual.
409828 Cisco switches don’t discover FortiGate using LLDP on internalX ports.
410463 SNMP is not responding when queried on a loopback IP address with an asymmetric SNMP packet path.
410901 PKI peer CA search stops on first match based on CA subject name.
411432 scanunitd gets high CPU when making configuration changes.
411433 voipd shows high CPU when making configuration changes.
411685 If IPPool is enabled in the firewall policy, offloaded traffic to NP6 is encrypted with a wrong SPI.
414243 DNS Filter local FortiGuard SDNS servers failed to respond due to malformed packet.
416678 FG101E/100E has reports of firewall lockups in production.
418205 High CPU utilization after upgrade from FortiOS 5.2.10 to 5.4.4.
420170 Skip the rating for dynamic DNS update type queries.

Web Filter

Bug ID Description
188128 For the Flowbase web filter, the CLI command set https-replacemsg disable does not work.

WebProxy

Bug ID Description
376808 Explicit proxy PAC File distribution in FortiOS 5.4.x not working properly.
383817 WAD crashes with a signal 11 (segmentation fault) in wad_port_fwd_peer_shutdown and wad_http_session_task_end.
389863 Signal 11 WAD and HTTPSD processes, and GUI not accessible.
Bug ID Description
398052 WAD session leak.
398405 WAD crashes without backtrace.
400454 Improve WAD debug trace and crash log information.
402155 WAS crashes with signal 6 in wad_authenticated_user_authenticate after upgrade to 5.4.3.
402778 WAD does not authorize user if it belongs to more than 256 usergroups with Kerberos authentication.
405264 WAD crash when flush FTP over HTTP traffic.
408503 Cannot access websites when SSL Inspection is set to Inspect All Ports with Proxy Option enabled only for HTTP(ANY).
412462 Fortinet-Bar does not show up on iPhone with iOS 10.2.1 Safari and Google Chrome 57.0.2987.100.
415918 Explicit proxy users are disconnected once a VDOM is created / removed.
421092 WAD consuming memory when explicit webproxy is used.

WiFi

Bug ID Description
387146 Wireless client RSSO authentication fails after reconnection to AP.

Common Vulnerabilities and Exposures

FortiOS 5.4.5 is no longer vulnerable to the following CVE references. For more information, see https://fortiguard.com/psirt.

Bug ID CVE references
421739 l CVE-2017-7734 l CVE-2017-7735

 

Known Issues

The following issues have been identified in version 5.4.5. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

AntiVirus

Bug ID Description
374969 FortiSandbox FortiView may not correctly parse the FSA v2.21 tracer file(.json).
Bug ID Description
304199 Using HA with FortiLink can encounter traffic loss during failover.

Endpoint Control

Bug ID Description
374855 Third party compliance may not be reported if FortiClient has no AV feature.
375149 FortiGate does not auto update AV signature version while Endpoint Control is enabled.
391537 Buffer size is too small when sending large vulnerability list to FortiGate.

Firewall

Bug ID Description
364589 LB VIP slow access when cookie persistence is enabled.

FortiGate-3815D

Bug ID Description
385860 FortiGate-3815D does not support 1GE SFP transceivers.

FortiRugged-60D

Bug ID Description
375246 invalid hbdev dmz may be received if the default hbdev is used.

FortiSwitch-Controller/FortiLink

Bug ID Description
357360 DHCP snooping may not work on IPv6.
369099 FortiSwitch authorizes successfully but fails to pass traffic until you reboot FortiSwitch.
374346 Adding or reducing stacking connections may block traffic for 20 seconds.

FortiView

Bug ID Description
368644 Physical Topology: Physical Connection of stacked FortiSwitch may be incorrect.
372350 Threat view: Threat Type and Event information is missing in the last level of the threat view.
372897 Invalid -4 and invalid 254 is shown as the submitted file status.
373142 Threat: Filter result may not be correct when adding a filter on a threat and threat type on the first level.
375172 FortiGate under a FortiSwitch may be shown directly connected to an upstream FortiGate.
375187 Using realtime auto update may increase chrome browser memory usage.

GUI

Bug ID Description
289297 Threat map may not be fully displayed when screen resolution is not big enough.
297832 Administrator with read-write permission for Firewall Configuration is not able to read or write firewall policies.
355388 The Select window for remote server in remote user group may not work as expected.
365223 CSF: downstream FGT may be shown twice when it uses hardware switch to connect upstream.
365317 Unable to add new AD group in second FSSO local polling agent.
365378 You may not be able to assign ha-mgmt-interface IP address in the same subnet as another port from the GUI.
368069 Cannot select wan-load-balance or members for incoming interface of IPsec tunnel.
369155 There is no Archived Data tab for email attachment in the DLP log detail page.

Known Issues

Bug ID Description
372908 The interface tooltip keeps loading the VLAN interface when its physical interface is in another VDOM.
372943 Explicit proxy policy may show a blank for default authentication method.
374081 wan-load-balance interface may be shown in the address associated interface list.
374162 GUI may show the modem status as Active in the Monitor page after setting the modem to disable.
374224 The Ominiselect widget and Tooltip keep loading when clicking a newly created object in the Firewall Policy page.
374320 Editing a user from the Policy list page may redirect to an empty user edit page.
374322 Interfaces page may display the wrong MAC Address for the hardware switch.
374373 Policy View: Filter bar may display the IPv4 policy name for the IPv6 policy.
374397 Should only list any as destination interface when creating an explicit proxy in the TP VDOM.
374521 Unable to Revert revisions in GUI.
374525 When activating the FortiCloud/Register-FortiGate, clicking OK may not work the first time.
375346 You may not be able to download the application control packet capture from the forward traffic log.
373363 Multicast policy interface may list the wan-load-balance interface.
373546 Only 50 security logs may be displayed in the Log Details pane when more than 50 are triggered.
374363 Selecting Connect to CLI from managed FAP context menu may not connect to FortiAP.
375036 The Archived Data in the SnifferTraffic log may not display detailed content and download.
375227 You may be able to open the dropdown box and add new profiles even though errors occur when editing a Firewall Policy page.
375259 Addrgrp editing page receives a js error if addrgrp contains another group object.
375369 May not be able to change IPsec manualkey config in GUI.
375383 Policy list page may receive a js error when clicking the search box if the policy includes wan-load-balance interface.
Bug ID Description
379050 User Definition intermittently not showing assigned token.
421423 Cannot download certificate in Security Profiles > SSL/SSH Inspection. Workaround: Go to System > Certificates to download.

HA

Bug ID Description
399115 ID for the new policy (when using edit 0) is different on master and on slave unit.

IPsec

Bug ID Description
393958 Shellshock attack succeeds when FGT is configured with server-cert-mode replace and an attacker uses rsa_3des_sha.
435124 Cannot establish IPsec phase1 tunnel after upgrading from version 5.4.5 to 5.6.0.

Workaround: After upgrading to 5.6.0, reconfigure all IPsec phase1 psksecret settings.

Router

Bug ID Description
299490 During and after failover, some multicast groups take up to 480 seconds to recover.

SSL VPN

Bug ID Description
303661 The Start Tunnel feature may have been removed.
304528 SSL VPN Web Mode PKI user might immediately log back in even after logging out.
374644 SSL VPN tunnel mode Fortinet bar may not be displayed.
375137 SSL VPN bookmarks may be accessible after accessing more than ten bookmarks in web mode.
382223 SMB/CIFS bookmark in SSL VPN portal doesn’t work with DFS Microsoft file server error “Invalid HTTP request”.

Known Issues

System

Bug ID Description
284512 When using the Dashboard Interface History widget, the httpds process uses excessive memory and then crashes.
287612 Span function of software switch may not work on FortiGate-51E/FortiGate-30E.
290708 nturbo may not support CAPWAP traffic.
295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate may not prompt the user to enter the key.
304199 FortiLink traffic is lost in HA mode.
364280 User cannot use ssh-dss algorithm to log in to FortiGate via SSH.
371320 show system interface may not show the Port list in sequential order.
372717 Option admin-https-banned-cipher in sys global may not work as expected.
392960 FOS support for V4 BIOS.
424215 FG-80C halts during boot after upgrade from 5.2.10 to 5.4.4.

Upgrade

Bug ID Description
269799 Sniffer config may be lost after upgrade.
289491 When upgrading from 5.2.x to 5.4.0, port-pair configuration may be lost if the port-pair name exceeds 12 characters.

Visibility

Bug ID Description
374138 FortiGate device with VIP configured may be put under Router/NAT devices because of an address change.

VM

Bug ID Description
364280 ssh-dss may not work on FGT-VM-LENC.

WiFi

Bug ID Description
434991 WTP tablesize limitation cause WTP entry to be lost after upgrade from v5.4.4 to 5.4.5.

Affected models: FG-30D, FG-30D-POE, FG-30E, FWF-30D, FWF-30D-POE, FWF-30E.

 

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

  • XenTools installation is not supported.
  • FortiGate-VM can be imported or deployed in only the following three formats:
  • XVA (recommended) l VHD l OVF
  • The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

FortiSIEM Integration API

$
0
0

Integration API

AccelOps provides an API that you can use to query and make changes to the CMDB, query events, and send notifications. These topics contain information on API parameters, sample XML input and output files, and python scripts that you can use to interact with the API.

Python Support

Versions 2.5, 2.6

Version 2.4 is only supported when import ssl is changed to from socket import ssl

Version 3.0 cannot be supported unless all print statements are rewritten

You will need to install httplib2 and ssl manually, if they are not already installed

Topics

Add or Update an Organization

Create or Update Credentials

Discover Devices

Get CMDB Device Info

Get the List of Monitored Devices and Attributes

Get the List of Monitored Organizations

Update Device Monitoring

Add, Update or Delete Device Maintenance Schedule

Events and Report Integration

Incident Notification

Formats for Incident Notifications over Email, HTTPS, SNMP Trap, and API Using the Notification API

External Help desk / CMDB Integration External Threat Intelligence Integration License Registration

CMDB APIs

These APIs are available for interacting with the AccelOps CMDB.

Add or Update an Organization

Create or Update Credentials

Discover Devices

Get CMDB Device Info

Get the List of Monitored Devices and Attributes

Get the List of Monitored Organizations

Update Device Monitoring

Add, Update or Delete Device Maintenance Schedule

 

Add or Update an Organization

Applies To

API Parameters

Sample Code for Adding an Organization

Sample XML Input File

Sample Python Script

Sample Code for Updating an Organization’s Attributes

Sample XML Input File

Sample Python Script

Applies To

Multi-tenant deployments

API Parameters

Methodology  REST API based: makes an HTTP(S) request with an input XML containing the organization information. The key to the organization information is the name.
Request

URL

Add an organization: https://<AccelOps_IP>/phoenix/rest/organization/add

Update an organization: https://<AccelOps_IP>/phoenix/rest/organization/update

Input

Parameters

Username and password of Super account or Organization specific account, Organization definition file
Input XML Contains organization details – the key is the organization name, which means that entries with the same name will be merged.
Output None

Sample Code for Adding an Organization

The sample shows how to add the organization organization341 and specify its attributes.

Sample XML Input File

Sample Python Script

AddOrg.py script Usage
import sys, base64, urllib, urllib2 from xml.dom.minidom import Node, Document, parseString  def restPost(appServer, user, password, file):

f = open(file, ‘r’)     content = f.read()

f.close()     url = “https://” + appServer + “/phoenix/rest/organization/add”     auth = “Basic %s” % base64.encodestring(user + “:” + password)     request = urllib2.Request(url, content)     request.add_header(‘Authorization’, auth)     request.add_header(‘Content-Type’, ‘text/xml’) # ‘application/xml’     request.add_header(‘Content-Length’, len(content)+2)     request.add_header(‘User-Agent’, ‘Python-urllib2/2.7’)     request.get_method = lambda: ‘PUT’      try:

handle = urllib2.urlopen(request)     except urllib2.HTTPError, error:         if (error.code != 204):

print error  if __name__==’__main__’:     if len(sys.argv) != 5:

print “Usage: addOrgSample.py appServer user password orgDefFile”         print “Example: python addOrgSample.py 192.168.20.116 super/admin adm1n orgDef.xml”         sys.exit()

restPost(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])

python addOrg.py <AccelOps_IP> <user> <password> <orgDefFile>

Sample Code for Updating an Organization’s Attributes

Th sample increases the max events per sec (eps) value of organization341 to 1000. The Key is the name. Sample XML Input File

Sample Python Script

AddOrg.py script Usage

 

python updateOrg.py <AccelOps_IP>

<user> <password> <orgDefFile>

Create or Update Credentials

Applies To

API Parameters

Multi-Tenant Deployments

Enterprise Deployments

Sample Code for Adding and Updating Credentials

Sample XML Input File

Sample Python Script

Applies To

Enterprise and multi-tenant deployments

API Parameters

The key is the credential name in the input XML. If a credential with the same name exists, then the credential in the database will be updated with the new content.

Multi-Tenant Deployments

Methodology REST API based: make an HTTP(S) request with an input XML (optional). An output XML is returned.
Request URL https:///phoenix/rest/deviceMon/updateCredential
Input Parameters Username and password of Super account or Organization specific account, Organization name
Input XML  An XML file that contains credentials and IP to credential mappings
Output None

Enterprise Deployments

Methodology  REST API based: make an HTTP(S) request with an input XML
Request URL  https://<AccelOps_IP>/phoenix/rest/deviceMon/updateCredential
Input Parameters  Username and password of any AccelOps account
Input XML  An XML file that contains credentials and IP to credential mappings
Output None

 

Sample Code for Adding and Updating Credentials

This sample takes the credentials and, optionally, the organization name as arguments and writes out the parsed XML output file in a comma separated value (CSV) format on the screen. The output can be redirected to a file if needed. Sample XML Input File

Sample Python Script

UpdateCredentiual.py Script Usage

 

 

import sys, base64, urllib, urllib2 def restPost(appServer, user, password, file):

f = open(file,’r’)   content = f.read()

f.close()   url = “https://” + appServer + “/phoenix/rest/deviceMon/updateCredential”   auth = “Basic %s” % base64.encodestring(user + “:” + password)   request = urllib2.Request(url, content)   request.add_header(‘Authorization’, auth)   request.add_header(‘Content-Type’,’text/xml’) # ‘application/xml’   request.add_header(‘Content-Length’, len(content)+2)   request.add_header(‘User-Agent’, ‘Python-urllib2/2.7’)   request.get_method = lambda: ‘PUT’   try:

handle = urllib2.urlopen(request)   except urllib2.HTTPError, error:     if (error.code != 204):

print error  if __name__==’__main__’:     if len(sys.argv) != 5:

print “Usage: UpdateCredential.py appServer user password credentialDefFile”         print “Example: python UpdateCredential.py 192.168.20.116 super/admin adm1n credentialDef.xml”         sys.exit()

restPost(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])

 python UpdateCredential.py

<AccelOps_IP> <user> <password> <credential xml file> Example

python UpdateCredential.py 172.16.20.210  “super/admin”

“admin*1”  AddCredential.xml

The Super_user needs to be explicitly stated in organization/user format, for

example “super/admin” or “super/ admin” instead of just “admin”

 

 

FortiSIEM Discover Devices API Integration

$
0
0
Discover Devices

Applies To

API Parameters

Multitenant Deployments

Enterprise Deployments

Sample Code for Discovery Request

Sample Input XML File

Sample Python Script

Sample Output XML for Discovery Results

Sample Output Text for Discovery Results

Applies To

Enterprise and multitenant deployments

API Parameters

Multitenant Deployments

Methodology REST API based: make an HTTP(S) request with an input XML containing the devices to be discovered. An output XML containing the task Id is returned. The task Id can then be used to get the status of the discovery results
Request

URL

Discovery request: https://<AccelOps_IP>/phoenix/rest/deviceMon/discover

Discovery result: https://<AccelOps_IP>/phoenix/rest/deviceMon/discover/status?taskId=1234

Input

Parameters

Username and password of Super account or Organization specific account, Organization name
Output Discovery request: XML containing task Id

Discovery result: XML containing discovered devices and attributes

Enterprise Deployments

Methodology REST API based: make an HTTP(S) request with an input XML containing the devices to be discovered. An output XML containing the task Id is returned. The task Id can then be used to get the status of the discovery results
Request

URL

Discovery request: https://<AccelOps_IP>/phoenix/rest/deviceMon/discover

Discovery result: https://<AccelOps_IP>/phoenix/rest/deviceMon/discover/status?taskId=1234

Input

Parameters

Username and password of any AccelOps account
Output Discovery request: XML containing task Id

Discovery result: XML containing discovered devices and attributes

Sample Code for Discovery Request

This sample takes the credentials and, optionally, organization name as arguments and writes out the parsed XML output file in a comma separated value (CSV) format on the screen. The output can be redirected to a file if needed.

Sample Input XML File

Sample Python Script

Discover.py Script Usage

 

 

import sys, base64, urllib, urllib2 def restPost(appServer, user, password, file):

f = open(file, ‘r’)     content = f.read()

f.close()     url = “https://” + appServer + “/phoenix/rest/deviceMon/discover”     auth = “Basic %s” % base64.encodestring(user + “:” + password)     request = urllib2.Request(url, content)     request.add_header(‘Authorization’, auth)     request.add_header(‘Content-Type’, ‘text/xml’) # ‘application/xml’     request.add_header(‘Content-Length’, len(content))     request.add_header(‘User-Agent’, ‘Python-urllib2/2.4’)     request.get_method = lambda: ‘PUT’     try:

handle = urllib2.urlopen(request)     except urllib2.HTTPError, error:         if (error.code != 204):

print error if __name__==’__main__’:     if len(sys.argv) != 5:

print “Usage: discoverDevice.py appServer user password deviceDefFile”         print “Example: python discoverDevice.py 192.168.20.116 super/admin adm1n deviceDef.xml”         sys.exit()     restPost(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])

python Discover.py <AccelOps_IP> <user> <password> <device xml file name> Example

python Discover.py 172.16.20.210 “super/admin” “admin*1” DiscoverDevice. xml

The Super_user needs to be explicitly stated in organization/user format, for example, “super/adm in” or “super/admin” instead of just “admin”.

Sample Output XML for Discovery Results

Sample Output Text for Discovery Results

 

Viewing all 2380 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>