Splunk Enterprise Security

Fortigate Firewall logs are not populating in Intrusion Centre dashboard in Splunk Enterprise Security

bsuresh1
Path Finder

Hi All,

Environment: Splunk Cloud

We have installed "Fortinet Fortigate Add-On for Splunk" on our Onprem Heavy Forwarder. Log ingestion is happening with sourcetypes like fgt_traffic, fgt_utm, etc.

But the fortigate data is not being populated in "Intrusion Centre" dashboard in Enterprise Security.

Should I install "Fortinet Fortigate APP" also in HF and SH to get these dashboards populated with data?

0 Karma
1 Solution

jerryzhao
Contributor

Fortinet Fortigate App is not needed for enterprise security.
To see results in intrusion center, do you have any logs like this? with attack in the field?

Aug 15 15:20:18 10.160.55.31 date=2019-08-15 time=15:20:38 devname="FGT1500D0-232" devid="FG1K5D3I13800014" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1565907638 severity="critical" srcip=x.x.x.x srccountry="United States" dstip=x.x.x.x srcintf="port32" srcintfrole="undefined" dstintf="demo-gateway" dstintfrole="lan" sessionid=39547555 action="dropped" proto=6 service="HTTPS" policyid=13 attack="OpenSSL.Heartbleed.Attack" srcport=58940 dstport=443 hostname="*.fortinet.com" direction="outgoing" attackid=38315 profile="default" ref="http://www.fortinet.com/ids/VID38315" incidentserialno=949409074 msg="applications: OpenSSL.Heartbleed.Attack, OpenSSL Heartbleed" crscore=50 crlevel="critical"

View solution in original post

0 Karma

diogofgm
SplunkTrust
SplunkTrust

what that's are being applied to your events? intrusion events should be tagged with ids and attack tags so they can be seen by the "Intrusion Detection" data model and thus ES. Which version of ES, splunk and CIM app are you using?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

bsuresh1
Path Finder

Hi diogofgm,

Yes, the events were tagged with ids and attack but I missed to add the index=firewall in CIM setup (in Intrusion Detection datamodel). After updating the CIM setup, data showed up in Intrusion Center in other dashboards. Thanks.

0 Karma

jerryzhao
Contributor

Fortinet Fortigate App is not needed for enterprise security.
To see results in intrusion center, do you have any logs like this? with attack in the field?

Aug 15 15:20:18 10.160.55.31 date=2019-08-15 time=15:20:38 devname="FGT1500D0-232" devid="FG1K5D3I13800014" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1565907638 severity="critical" srcip=x.x.x.x srccountry="United States" dstip=x.x.x.x srcintf="port32" srcintfrole="undefined" dstintf="demo-gateway" dstintfrole="lan" sessionid=39547555 action="dropped" proto=6 service="HTTPS" policyid=13 attack="OpenSSL.Heartbleed.Attack" srcport=58940 dstport=443 hostname="*.fortinet.com" direction="outgoing" attackid=38315 profile="default" ref="http://www.fortinet.com/ids/VID38315" incidentserialno=949409074 msg="applications: OpenSSL.Heartbleed.Attack, OpenSSL Heartbleed" crscore=50 crlevel="critical"

0 Karma

bsuresh1
Path Finder

Thank you JerryZhao.

I could see very few events with "attack" field. But still the data didn't show up in Intrusion Center. Later, I have found that I should update index="firewall" in CIM setup (in Intrusion Detection datamodel). Now, I could see the data showing up in Intrusion Center.

Thanks again.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...