All Apps and Add-ons

Does the FortiGate addon work with the new Splunk Security Essentials App?

smaat11
Explorer

Will the Fortigate Addon work with the new Splunk Security Essentials App (v2.1) out of the box or will I need to make additional customizations to get things working?

I am thinking it's the latter since the use case for Basic Scanning shows the requirement "Must have Firewall Data" is satisfied for live data (Green Check), but the requirement "Must have a dest_ip and dest_port field" is not meeting requirements of the app (red exclimation).

0 Karma
1 Solution

jerryzhao
Contributor

in the add-on, there is dest but not dest_ip, so you can add an alias for it to work.
dest_port should already be there.
you can add the following in props.conf of the add-on under [fgt_traffic]
FIELDALIAS-fgt_traffic_dest_ip = dstip as dest_ip

The add-on works with enterprise security fine but wasn't verified with security essentials app. So you mileage may vary.

View solution in original post

jerryzhao
Contributor

in the add-on, there is dest but not dest_ip, so you can add an alias for it to work.
dest_port should already be there.
you can add the following in props.conf of the add-on under [fgt_traffic]
FIELDALIAS-fgt_traffic_dest_ip = dstip as dest_ip

The add-on works with enterprise security fine but wasn't verified with security essentials app. So you mileage may vary.

smaat11
Explorer

Thanks for the info. I will give that a try and let you know if it works out.

0 Karma

David
Splunk Employee
Splunk Employee

Any data sources that are Common Information Model compliant should satisfy that particular requirement (along with all of those in the app -- there are a few gaps that we're looking forward to closing in the near future).

Do you have the add-on installed on your Search Head?

0 Karma

smaat11
Explorer

Small single server implementation at the moment, so yes both Security Essentials and Fortigate add-on are installed on the search head.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...