4D Documents
Best practices documents for defining, designing, deploying and demoing various cross product solutions.
keithli_FTNT
Staff
Staff
Article Id 286539

The following snippet summarizes the steps necessary to configure FortiSIEM to provide the FortiGate with IP addresses that have been associated with suspicious or malicious activity. The deployment expects that the customer has deployed FortiSIEM (either on premise or FortiSIEM Cloud) and a FortiGate that will consume the FortiSIEM watchlist for network enforcement. To view the complete guide, go to Agentless ZTNA with FortiSIEM UEBA and FortiGate.

 

Design Concept and Considerations

 

FortiSIEM UEBA Telemetry

For the most complete visibility of user activity, the deployment of FortiSIEM Agents with UEBA enabled is recommended. This allows for detailed user activity to be collected without the need to enable any specific Microsoft Windows auditing.

 

Native Windows as UEBA Telemetry

Where an agent cannot be deployed, there are still events that can be collected from the Windows device using an agentless method such as OMI. However, about 50% of the UEBA ML model will miss necessary data.

 

Other Infrastructure Logs

Understanding user behavior does not solely rely on UEBA and ML models. The somewhat more traditional SIEM correlation rules, as well as specific statistical rules, can improve detection, identify user anomalies and potentially malicious behavior.

 

Sharing Information with FortiGate

FortiGate will use a Security Fabric Threat Feed Integration to connect to FortiSIEM using watchlist API to pull back the list of IP addresses.

The IP addresses can then be used in a number of scenarios that include:

  • Apply threat feed as source in firewall policy to deny access to VIP.
  • Apply threat feed as source in a local-in policy to deny IKE/SSL/HTTPS or any administrative access destined to the FortiGate WAN interface.
  • Apply threat feed as source SSL VPN or IPsec VPN based firewall policy.

90b040be76d6c1934afde95507710bf0_fortisiem-fortigate-sharing-info-with-fortigate

 

Deployment Plan

The high-level deployment plan is as follows:

  1. FortiSIEM – Install FortiSIEM Agents and enable UEBA where licensed. Specific steps to deploy and enable can be found in the Windows Agent Installation Guide.

  2. FortiSIEM - Define IP watchlist.

  3. FortiSIEM - Import the custom rules.

  4. FortiSIEM - Customize the rules to reference the watchlists.

  5. FortiGate - Configure the FortiGate to collect the IPs from the Fabric watchlists.

  6. FortiGate – Configure use case for FortiGate consumption of the IP Address Threat Feed.

For detail instructions on the Deployment Steps, see Agentless ZTNA with FortiSIEM UEBA and FortiGate > Deployment Procedures.

Contributors