Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

HafizJasmi
New Contributor

CISCO ASA RULES OR USE CASE

Hi Guys,

I am new to fortisiem, i have question, currently our Fortisiem monitor Cisco ASA firewall, but as for now it did not flag any rules from Fortisiem.

It is i have to manually create rules for any security incident for Cisco ASA? If anyone could share rules for  ASA or any use case that you guys used.

3 REPLIES 3
FSM_FTNT
Staff
Staff

Hi Muhammad,

There are some specific rules where we mention ASA events by name.

  • Successful VPN Logon From Outside My Country
  • Startup Config Change: with login
  • Running Config Change: with login info
  • Heavy TCP Port Scan: Single Destination
  • Permitted Blacklisted Source
  • Denied Blacklisted Source
  • Permitted Blacklisted Destination
  • Denied Blacklisted Destination

FortiSIEM also categorises Events under different Groups (you can see this under Resources / Event Types) and you will find Rules referencing Event Type Groups rather than individual events. For example "Sudden Increase In Firewall Permitted Outbound Traffic To A Specific TCP/UDP port" rule references the Event Type Group "Permitted Traffic" and that group contains Cisco ASA events (about 20).

Thanks

Dan

------------------------------
Daniel
FortiSIEM Product Manager
------------------------------
HafizJasmi

Hi Daniel,

Thanks suggestion given, after going through i found out i need to activate some of the rules, maybe someone before me deactivated it.

KarnGriffen

Muhammad,  

You can create a Rule that notifies you when people change Rules.  Helpful for finding when things have been modified:
IF System Event Category = 2 AND Event Type IN PH_AUDIT_OBJECT_CREATED, PH_AUDIT_OBJECT_DELETED, PH_AUDIT_OBJECT_UPDATED AND OS Object Type = Rule
WHERE COUNT(Matched Events) >= 1
GROUPBY User,Object Name,Organization Name