FortiSIEM - Rule Exceptions not working

isuru · ‎05-29-2020

Hi,

I was trying to reduce false positives from several rules and wanted to have few exceptions / whitelisting in place. Following is a sample scenario where I want to whitelist several domains that is triggering to the "System Rule : Blacklist User Agent Match".

I cloned the rule and set few exception in the Exception Section as follows,

Moreover I have created few lists for easy management as follows,

This is one of those list I have created.

I tried the rule testing feature also but it won't whitelist the domains I excluded.

Since then I tried excluding in rule condition section as follows,

This won't work either. Still triggering the alarms for the whitelisted domains as well.

Following is a sample log that I'm trying to whitelist

Any suggestions on this matter?

Regards,
Isuru

Cheers,
Isuru Malawige

HugoPinto · ‎07-16-2020

Hi Isuru,

We have the same issue, in our envoirment its a cluster 1 Super + 2 Workers.
It seams its a bug because redis don't pass the objects to the workers.

In our case we resolve the issue by killing the Java

SSH to Super.
Killall -9 java
phstatus -a

Regards
Hugo Pinto
Claranet Portugal

View solution in original post

FSM_FTNT · ‎06-18-2020

Hi Isuru, Sorry for the delay.

Can you send me that test event? I want to test this out in the lab.

Looking at the rule, this should work.

What version FSM are you running? If on 5.3.0 I suggest trying on 5.3.1.

Thanks

Dan

isuru · ‎06-22-2020

RAW logs

Cheers,
Isuru Malawige

HugoPinto · ‎06-25-2020

Hi,

O Have the same rule on rule exceptions, when we don't pass the Event Attribute on the Group By Condition.

Try to pass 1 Folder on rule exceptions

like this A IN A OR
A IN B OR

isuru · ‎06-25-2020

Hi Hugo,

Thanks for the insight. I'll try it and let you know.

Regards,
Isuru

Cheers,
Isuru Malawige

isuru · ‎06-25-2020

Hi Hugo,

I have setup the rule exceptions as you mentioned,

and added the "Destination Host name" attribute to the group by fields as follows,

But I have the same issue with another rule "Outbound cleartext password usage from non guest network detected" where I want to exclude a Specific "Destination IP" from triggering and it is already in the group by fields and only referring to a single group as follows,

Still the rule will trigger for an IP in the range as follows,

Cheers,
Isuru

Cheers,
Isuru Malawige

HugoPinto · ‎07-16-2020

Hi Isuru,

We have the same issue, in our envoirment its a cluster 1 Super + 2 Workers.
It seams its a bug because redis don't pass the objects to the workers.

In our case we resolve the issue by killing the Java

SSH to Super.
Killall -9 java
phstatus -a

Regards
Hugo Pinto
Claranet Portugal

RobertEvans · ‎07-31-2020

The bug where redis caching doesn't receive updated copies of objects from the super on workers should be fixed in 5.3.2. This only occurs if you restarted redis after java (aka appserver) has already been started. The proper ordering of start is redis first, and then app server.

As for exceptions not working, on upgrade certain natural_ids for objects in the postgres db contain special characters that aren't handled correctly by phQueryMaster/Worker.

Fortinet will have to guide you on removing %2d (for -) for certain object names in the natural id, or the char representation of whitespace for natural ids of certain objects.