Technical Tip: Certain FortiGate configurations may generate both a log and a SNMP trap for the same event

This article discusses security event alerts created by SNMP Traps and Event Logging and compares the two for usage in enterprise environments.

Consider the following example scenario:

• An IPv4 DoS Policy has been configured with monitoring/logging enabled for the icmp_flood Anomaly.
• SNMP has been configured with SNMP Events (aka SNMP traps) enabled for the IPS detected an anomaly event.

In this scenario, the following traffic has been sent through the FortiGate and causes it to both generate a log entry and also an SNMP trap for the event:

Attacker (Source) IP Address: 192.168.0.4

Server (Destination) IP Address: 10.0.0.4

FortiGate mgmt Interface Address: 172.16.0.1

Network Management Station (SNMP Trap Destination) Address: 172.16.0.85

Log generated:

date=2022-07-09 time=18:03:06 eventtime=1657414986873030266 tz="-0700" logid="0720018433" type="utm" subtype="anomaly" eventtype="anomaly" level="alert" vd="root" severity="critical" srcip=192.168.0.4 srccountry="Reserved" dstip=10.0.0.4 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" sessionid=0 action="detected" proto=1 service="PING" count=18990 attack="icmp_flood" icmpid="0x2f27" icmptype="0x08" icmpcode="0x00" attackid=16777316 policyid=1 policytype="DoS-policy" ref=http://www.fortinet.com/ids/VID16777316 msg="anomaly: icmp_flood, 650 > threshold 20, repeats 18990 times since last log, pps 656 of prior second" crscore=50 craction=4096 crlevel="critical"

SNMP trap generated:

Comparing the two, it is evident that the log entry contains more in-depth information than the SNMP trap. Both tools are still useful depending on the needs of the business employing the FortiGate:

• Some enterprises mandate that all security events must be sent to a Network Management Station (NMS) via SNMP traps.
• Other enterprises may instead prefer to handle security event alerts via log collection only, such as with syslog- or FortiAnalyzer-based centralized logging.
• In some cases, enterprises may utilize a combination of both methods.

Ultimately, administrators can select the alerting method(s) based on the needs/requirements of the business and what best aligns with existing processes/tools.

Key Points to Consider:

• Event logs are more data-rich when compared to SNMP traps, which makes them useful for generating reports or performing more detailed analysis.
• On the other hand, SNMP traps are still useful for their immediacy, as security analysts often have processes to start investigations based on received SNMP traps.
• The data-rich nature of event logs generally allows for more granular control over what is logged vs. not logged. For example, the FortiGate supports 'free-style' filters that allow administrators to control what logs get sent out to external logging servers. See also: Technical Tip: Using syslog free-style filters
• By comparison, SMNP has coarser controls for when traps are generated, as it is only possible to control certain 'families' of traps.

• Event log/SNMP trap collectors (e.g. NMS, SIEM, etc.) often have more complex event filtering and processing capabilities available, so local filtering on the FortiGate may be less relevant in the decision-making process.
• Event logging is handled by a related family of different processes (miglogd, locallogd, fgtlogd, syslogd), whereas SNMP traps are handled by the snmpd daemon.This means that event logging and SNMP traps operate largely independently from each other from a underlying process level.
  
  • Consider disabling non-required event types under the SNMP configuration as a means of optimizing resource utilization (e.g. CPU, network, storage, etc.).