Splunk Enterprise Security

Fortigate Firewall logs are not populating in Intrusion Centre dashboard in Splunk Enterprise Security

bsuresh1
Path Finder

Hi All,

Environment: Splunk Cloud

We have installed "Fortinet Fortigate Add-On for Splunk" on our Onprem Heavy Forwarder. Log ingestion is happening with sourcetypes like fgt_traffic, fgt_utm, etc.

But the fortigate data is not being populated in "Intrusion Centre" dashboard in Enterprise Security.

Should I install "Fortinet Fortigate APP" also in HF and SH to get these dashboards populated with data?

0 Karma
1 Solution

jerryzhao
Contributor

Fortinet Fortigate App is not needed for enterprise security.
To see results in intrusion center, do you have any logs like this? with attack in the field?

Aug 15 15:20:18 10.160.55.31 date=2019-08-15 time=15:20:38 devname="FGT1500D0-232" devid="FG1K5D3I13800014" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1565907638 severity="critical" srcip=x.x.x.x srccountry="United States" dstip=x.x.x.x srcintf="port32" srcintfrole="undefined" dstintf="demo-gateway" dstintfrole="lan" sessionid=39547555 action="dropped" proto=6 service="HTTPS" policyid=13 attack="OpenSSL.Heartbleed.Attack" srcport=58940 dstport=443 hostname="*.fortinet.com" direction="outgoing" attackid=38315 profile="default" ref="http://www.fortinet.com/ids/VID38315" incidentserialno=949409074 msg="applications: OpenSSL.Heartbleed.Attack, OpenSSL Heartbleed" crscore=50 crlevel="critical"

View solution in original post

0 Karma

diogofgm
SplunkTrust
SplunkTrust

what that's are being applied to your events? intrusion events should be tagged with ids and attack tags so they can be seen by the "Intrusion Detection" data model and thus ES. Which version of ES, splunk and CIM app are you using?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

bsuresh1
Path Finder

Hi diogofgm,

Yes, the events were tagged with ids and attack but I missed to add the index=firewall in CIM setup (in Intrusion Detection datamodel). After updating the CIM setup, data showed up in Intrusion Center in other dashboards. Thanks.

0 Karma

jerryzhao
Contributor

Fortinet Fortigate App is not needed for enterprise security.
To see results in intrusion center, do you have any logs like this? with attack in the field?

Aug 15 15:20:18 10.160.55.31 date=2019-08-15 time=15:20:38 devname="FGT1500D0-232" devid="FG1K5D3I13800014" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1565907638 severity="critical" srcip=x.x.x.x srccountry="United States" dstip=x.x.x.x srcintf="port32" srcintfrole="undefined" dstintf="demo-gateway" dstintfrole="lan" sessionid=39547555 action="dropped" proto=6 service="HTTPS" policyid=13 attack="OpenSSL.Heartbleed.Attack" srcport=58940 dstport=443 hostname="*.fortinet.com" direction="outgoing" attackid=38315 profile="default" ref="http://www.fortinet.com/ids/VID38315" incidentserialno=949409074 msg="applications: OpenSSL.Heartbleed.Attack, OpenSSL Heartbleed" crscore=50 crlevel="critical"

0 Karma

bsuresh1
Path Finder

Thank you JerryZhao.

I could see very few events with "attack" field. But still the data didn't show up in Intrusion Center. Later, I have found that I should update index="firewall" in CIM setup (in Intrusion Detection datamodel). Now, I could see the data showing up in Intrusion Center.

Thanks again.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...