Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

ManRod
New Contributor II

Created on ‎03-19-2021 05:51 AM

Reverse DNS Queries for CMDB

Hi again,

I have a setup where several devices just report via syslog only (no manual discovery happened).

So the systems hostname in the CMDB is HOST-<IP>, because I suspect it tries to pull the info via SNMP/WMI by default.
Is there any chance of using reverse DNS by default to resolve that name?

I understand that I can chose DNS first instead of SNMP/WMI while discovering the devices, however the discovery seems to require SNMP, which is not used.

If this is not possible, is there any other way like a script that queries DNS Server for the IP and changes the Hostname in the CMDB?

Regards
Manuel
Labels:
830
0 Kudos
3 REPLIES 3
FSM_FTNT
Staff
Staff

Created on ‎03-22-2021 05:45 AM

Hi Manuel,

HOST-<IP> typically happens if logs are received without any discovery. If performing a discovery with SNMP or WMI then the discovery process will check DNS or SNMP/WMI results and add that to the CMDB.

You can enable DNS lookups on logs by enabling lookup:

vi /opt/phoenix/config/phoenix_config.txt

changing this to yes

use_dns_lookup=no

saving the file and restarting the parser process

killall -9 phParser

However, this is disabled by default because if DNS is slow it can cause performance issues for parser process and potentially accepting/processings whilst it waits on DNS response. Suggest you test this in a lab first!

Additionally, the Parser needs a section added to perform a reverse DNS lookup and set the results to the hostname. If you have a sample event from the device you are trying to add, I can take a look when you have time.

------------------------------
Daniel
FortiSIEM Product Manager
------------------------------
810
0 Kudos
ManRod
New Contributor II
In response to FSM_FTNT

Created on ‎04-19-2021 05:29 AM

Hi Daniel,

thanks for the reply. I was able to test the setting and as you predicted the parsers need to be adjusted accordingly.

One simple sample event is from the CiscoIOSParser (User logged in command activity)
<189>391: Apr 19 12:28:44.172: %PARSER-5-CFGLOG_LOGGEDCMD: User:srv_user logged command:!exec: enable

Would be great if you tell me how do the DNS Lookup inside the parser, then I am able to customize all the others.

Regards
Manuel
810
0 Kudos
ManRod
New Contributor II
In response to ManRod

Created on ‎05-09-2021 11:30 PM

Hi @Daniel

​I tried to use convertHostNameToIp, However this really seems to work only for host to IP and not for the other direction.

Regards
Manuel
810
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.