Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

HafizJasmi
New Contributor

Created on ā€Ž10-12-2020 10:12 PM

CISCO ASA RULES OR USE CASE

Hi Guys,

I am new to fortisiem, i have question, currently our Fortisiem monitor Cisco ASA firewall, but as for now it did not flag any rules from Fortisiem.

It is i have to manually create rules for any security incident for Cisco ASA? If anyone could share rules for  ASA or any use case that you guys used.

Labels:
966
0 Kudos
3 REPLIES 3
FSM_FTNT
Staff
Staff

Created on ā€Ž10-13-2020 04:03 AM

Hi Muhammad,

There are some specific rules where we mention ASA events by name.

  • Successful VPN Logon From Outside My Country
  • Startup Config Change: with login
  • Running Config Change: with login info
  • Heavy TCP Port Scan: Single Destination
  • Permitted Blacklisted Source
  • Denied Blacklisted Source
  • Permitted Blacklisted Destination
  • Denied Blacklisted Destination

FortiSIEM also categorises Events under different Groups (you can see this under Resources / Event Types) and you will find Rules referencing Event Type Groups rather than individual events. For example "Sudden Increase In Firewall Permitted Outbound Traffic To A Specific TCP/UDP port" rule references the Event Type Group "Permitted Traffic" and that group contains Cisco ASA events (about 20).

Thanks

Dan

------------------------------
Daniel
FortiSIEM Product Manager
------------------------------
947
0 Kudos
HafizJasmi
New Contributor
In response to FSM_FTNT

Created on ā€Ž10-14-2020 11:12 PM

Hi Daniel,

Thanks suggestion given, after going through i found out i need to activate some of the rules, maybe someone before me deactivated it.

947
0 Kudos
KarnGriffen
New Contributor III
In response to HafizJasmi

Created on ā€Ž10-15-2020 09:14 AM

Muhammad,  

You can create a Rule that notifies you when people change Rules.  Helpful for finding when things have been modified:
IF System Event Category = 2 AND Event Type IN PH_AUDIT_OBJECT_CREATED, PH_AUDIT_OBJECT_DELETED, PH_AUDIT_OBJECT_UPDATED AND OS Object Type = Rule
WHERE COUNT(Matched Events) >= 1
GROUPBY User,Object Name,Organization Name
947
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the ā€œNominate to Knowledge Baseā€ button to recommend a forum post to become a knowledge article.

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.