Help
FortiSIEM Discussions
Taher11
New Contributor III

Created on ‎08-17-2023 04:07 AM

Forcepoint NGFW Integration with Fortisiem

I succeeded to forward logs from the forcepoint NGFW to fortiSiem but all the event types received are unknown " unknown event type".

 

FortiSIEM , #Forcepoint

 

   

EL MOUSTAPHA MOHAMED LEMINE TAHER
EL MOUSTAPHA MOHAMED LEMINE TAHER
1390
0 Kudos
1 Solution
Taher11
New Contributor III

Created on ‎09-06-2023 03:14 AM

Hello we have developed a new parser and the problem was resolved, thank you for your time 

EL MOUSTAPHA MOHAMED LEMINE TAHER

View solution in original post

EL MOUSTAPHA MOHAMED LEMINE TAHER
1292
0 Kudos
8 REPLIES 8
FSM_FTNT
Staff
Staff

Created on ‎08-31-2023 01:54 AM

Are the events being sent in CEF format?

 

Can you share some sample events so that we can see what the issue is?

 

This is a sample event format that FortiSIEM expects to receive:

 

<6>CEF:0|FORCEPOINT|Alert|6.0.1|71257|TCP_Segment-SYN-No-Options|0|spt=2890 deviceExternalId=FW2 node 1 dmac=00:50:56:86:5E:16 dst=192.168.91.67 app=TCP/30152 rt=Sep 22 2016 23:38:00 deviceFacility=Packet filter act=Terminate deviceInboundInterface=2 proto=6 dpt=30152 src=192.168.155.35 dvc=192.168.94.51 dvchost=192.168.94.51 smac=00:10:DB:FF:10:01 cs1Label=RuleId cs1=97.0

1347
Taher11
New Contributor III
In response to FSM_FTNT

Created on ‎08-31-2023 02:15 AM

We are using the LEEF format, but even if we change it to CEF the event type remains unkown.

 

<6>LEEF:1.0|Forcepoint|Firewall|7.0.2|Connection_Allowed|devTimeFormat=MMM dd yyyy HH:mm:ss src=192.168.64.22 dst=192.168.198.102 srcPort=59986 dstPort=2463 proto=6 devTime=Aug 31 2023 09:11:36 sender=Force-1-NDB node 1 action=Allow

EL MOUSTAPHA MOHAMED LEMINE TAHER
EL MOUSTAPHA MOHAMED LEMINE TAHER
1344
0 Kudos
FSM_FTNT
Staff
Staff

Created on ‎08-31-2023 02:25 AM

Are you able to use CEF format and provide a sample? Something has probably changed in the log format and we need to make an update.

1339
Taher11
New Contributor III

Created on ‎08-31-2023 02:33 AM

Yes, I can, an update on what exactly?

 

Screenshot 2023-08-31 093227.png

 

EL MOUSTAPHA MOHAMED LEMINE TAHER
EL MOUSTAPHA MOHAMED LEMINE TAHER
1336
0 Kudos
FSM_FTNT
Staff
Staff

Created on ‎09-04-2023 08:18 AM

Can you send to me directly an export in CSV format of the forecpoint logs? A varied sample of logs will be best.

 

I can see that Forcepoint have changed their log format.

 

Thanks

1307
0 Kudos
Taher11
New Contributor III

Created on ‎09-06-2023 03:14 AM

Hello we have developed a new parser and the problem was resolved, thank you for your time 

EL MOUSTAPHA MOHAMED LEMINE TAHER
EL MOUSTAPHA MOHAMED LEMINE TAHER
1293
0 Kudos
AbdelrahmanEmad
New Contributor
In response to Taher11

Created on ‎07-30-2024 01:19 AM

Hello @Taher11,
Can you share the custom parser for force-point?
Thanks,

349
0 Kudos
Merzeq_R
New Contributor

Created on ‎07-29-2024 12:04 AM

Hello Taher,

Can I get the Custom Parser?

MR
MR
371
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.