Splunk Enterprise Security

Fortigate Firewall logs are not populating in Intrusion Centre dashboard in Splunk Enterprise Security

Explorer

Hi All,

Environment: Splunk Cloud

We have installed "Fortinet Fortigate Add-On for Splunk" on our Onprem Heavy Forwarder. Log ingestion is happening with sourcetypes like fgt_traffic, fgt_utm, etc.

But the fortigate data is not being populated in "Intrusion Centre" dashboard in Enterprise Security.

Should I install "Fortinet Fortigate APP" also in HF and SH to get these dashboards populated with data?

0 Karma
1 Solution

Contributor

Fortinet Fortigate App is not needed for enterprise security.
To see results in intrusion center, do you have any logs like this? with attack in the field?

Aug 15 15:20:18 10.160.55.31 date=2019-08-15 time=15:20:38 devname="FGT1500D0-232" devid="FG1K5D3I13800014" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1565907638 severity="critical" srcip=x.x.x.x srccountry="United States" dstip=x.x.x.x srcintf="port32" srcintfrole="undefined" dstintf="demo-gateway" dstintfrole="lan" sessionid=39547555 action="dropped" proto=6 service="HTTPS" policyid=13 attack="OpenSSL.Heartbleed.Attack" srcport=58940 dstport=443 hostname="*.fortinet.com" direction="outgoing" attackid=38315 profile="default" ref="http://www.fortinet.com/ids/VID38315" incidentserialno=949409074 msg="applications: OpenSSL.Heartbleed.Attack, OpenSSL Heartbleed" crscore=50 crlevel="critical"

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

what that's are being applied to your events? intrusion events should be tagged with ids and attack tags so they can be seen by the "Intrusion Detection" data model and thus ES. Which version of ES, splunk and CIM app are you using?

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma

Explorer

Hi diogofgm,

Yes, the events were tagged with ids and attack but I missed to add the index=firewall in CIM setup (in Intrusion Detection datamodel). After updating the CIM setup, data showed up in Intrusion Center in other dashboards. Thanks.

0 Karma

Contributor

Fortinet Fortigate App is not needed for enterprise security.
To see results in intrusion center, do you have any logs like this? with attack in the field?

Aug 15 15:20:18 10.160.55.31 date=2019-08-15 time=15:20:38 devname="FGT1500D0-232" devid="FG1K5D3I13800014" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1565907638 severity="critical" srcip=x.x.x.x srccountry="United States" dstip=x.x.x.x srcintf="port32" srcintfrole="undefined" dstintf="demo-gateway" dstintfrole="lan" sessionid=39547555 action="dropped" proto=6 service="HTTPS" policyid=13 attack="OpenSSL.Heartbleed.Attack" srcport=58940 dstport=443 hostname="*.fortinet.com" direction="outgoing" attackid=38315 profile="default" ref="http://www.fortinet.com/ids/VID38315" incidentserialno=949409074 msg="applications: OpenSSL.Heartbleed.Attack, OpenSSL Heartbleed" crscore=50 crlevel="critical"

View solution in original post

0 Karma

Explorer

Thank you JerryZhao.

I could see very few events with "attack" field. But still the data didn't show up in Intrusion Center. Later, I have found that I should update index="firewall" in CIM setup (in Intrusion Detection datamodel). Now, I could see the data showing up in Intrusion Center.

Thanks again.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!