Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fredery
Staff
Staff

Created on ‎07-12-2022 01:51 PM Edited on ‎07-12-2022 01:55 PM By Anonymous

Article Id 217352

Technical Tip: Certain FortiGate configurations may generate both a log and a SNMP trap for the same event

Description

This article discusses the use of SNMP traps and logs related to alerting for security events.
Scope FortiGate.
Solution

Let’s look at an example:

 

IPv4 DoS Policy is active and logging enabled.

 

SNMP trap for event IPS detected an anomaly enabled.

 

Traffic is generated to trigger events.

 

Attacker : 192.168.0.4

Server targeted : 10.0.0.4

FortiGate MGMT IP : 172.16.0.1

NMS (SNMP trap destination) : 172.16.0.85

 

Log generated:

 

date=2022-07-09 time=18:03:06 eventtime=1657414986873030266 tz="-0700" logid="0720018433" type="utm" subtype="anomaly" eventtype="anomaly" level="alert" vd="root" severity="critical" srcip=192.168.0.4 srccountry="Reserved" dstip=10.0.0.4 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" sessionid=0 action="detected" proto=1 service="PING" count=18990 attack="icmp_flood" icmpid="0x2f27" icmptype="0x08" icmpcode="0x00" attackid=16777316 policyid=1 policytype="DoS-policy" ref=http://www.fortinet.com/ids/VID16777316 msg="anomaly: icmp_flood, 650 > threshold 20, repeats 18990 times since last log, pps 656 of prior second" crscore=50 craction=4096 crlevel="critical"

 

SNMP trap generated:

 

fredery_0-1657653969698.png

 

Note: Clearly the log contains more information than the SNMP trap.

 

For some enterprises, receiving security events in their NMS via SNMP trap is a requested method for alerting.

 

For other enterprises, security event alerting is accomplished via log collection only.

 

Some other enterprises may even use a combination of both methods.

 

- Whether using SNMP traps and/or logging for security events, an enterprise should select the method(s) that meet their policies and better align with their processes and tools.

 

- Logs are by nature more complete than SNMP traps.

 

- Using the SNMP trap for alerting does not remove the need for logs as they will typically be used by security analysts to investigate an alert generated by snmp trap.

 

- More granular control can be applied to what is logged or not.

 

- Less granular control can be applied to what is sent as a trap or not (event family enabled or disabled).

 

fredery_1-1657654097308.png

  

- Logs and SNMP traps are generated by different processes and are independent of each other.

 

- As an example, logging can be disabled for a specific event, but an SNMP trap can still be generated.

 

- Filtering and more complex logic operations are typically done on the collecting side for alerting (NMS, SIEM, FortiSoc, etc).

 

- If SNMP traps are not required for alerting of a security type event, it is suggested to disable the non-required event type under the SNMP community configuration (System/SNMP) to optimize resource utilization (CPU, network, storage, etc.).
1389
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.