Help
FortiSIEM Discussions
Bruce7x2
New Contributor III

Created on ‎12-04-2023 12:54 AM

[FortiSIEM]Default report to meet Fortigate VPN User Logon

Dear Team,

 

I would like to know whether there's a report to show me the login status(Success/Failure) of the VPN User via FortiGate.

 

If FortiSIEM has any Default Report Template can meet this. Or I can clone an existing report and then modify it to meet the above description. 

 

Thank you ~

 

Bruce Liu
Bruce Liu
Labels:
1085
0 Kudos
1 Solution
FSM_FTNT
Staff
Staff

Created on ‎12-04-2023 09:16 AM

Bruce,

 

There are a variety of VPN authentication reports available, all can be customised.

 

Go to Resource / Reports and search for VPN, you will see several examples.

 

I am attaching a report that provides "Failed and Successful VPN Logon by Type, Source IP and User". To use it, go to Resources / Reports / Frequently Used folder or another folder you want to save it in.

Then click the more button and then Import. You can then run the report as needed.

View solution in original post

Failed and Successful VPN Logon by Type Source IP and User.xml.zip
1059
6 REPLIES 6
premchanderr
Staff
Staff

Created on ‎12-04-2023 01:50 AM

Hi Bruce,

 

There is no default rules specific to VPN logon, but generic login is available.

 

If firewall sends traffic related to VPN then you can tweak the parser for it and create own custom rules. 

You would need to analyze the events in GUI by using filter such as Raw Event Log contains "Username"  .

Regards,
Prem Chander R
1074
0 Kudos
FSM_FTNT
Staff
Staff

Created on ‎12-04-2023 09:16 AM

Bruce,

 

There are a variety of VPN authentication reports available, all can be customised.

 

Go to Resource / Reports and search for VPN, you will see several examples.

 

I am attaching a report that provides "Failed and Successful VPN Logon by Type, Source IP and User". To use it, go to Resources / Reports / Frequently Used folder or another folder you want to save it in.

Then click the more button and then Import. You can then run the report as needed.

Failed and Successful VPN Logon by Type Source IP and User.xml.zip
1060
adem_netsys
Contributor

Created on ‎12-20-2023 01:08 AM

Hi @Bruce7x2 @FSM_FTNT 

 

How can I create the duration of the users here?

995
0 Kudos
Secusaurus
Contributor II
In response to adem_netsys

Created on ‎12-20-2023 02:10 AM

Hi adem_netsys,

 

Regarding FortiGate, unfortunately I cannot see this exact information in the logs. There is a log "statistics" that lists the sent & received bytes, but not the full duration.

Grouping by user and checking the last log against the first log (subtracting the timestamps) could do the trick, but if a user signed in and out multiple times, you would not draw the correct picture.

I know that the FortiAnalyzer can parse that. If you've got one, perhaps you can try to send over this information to the SIEM via individual event every time a user disconnects?

 

Other vendors may have this information in their statistics, but I only got FortiGates here where I can check on that question.

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
986
adem_netsys
Contributor
In response to Secusaurus

Created on ‎12-20-2023 03:36 AM

Hi Christian,

Obviously, I want to do this on pulse. I saw duration in the pulse logs, but as you said, this was not a real duration time, interruptions, disconnections do not give an accurate result. I would expect this to be in the default rules.

980
0 Kudos
FSM_FTNT
Staff
Staff
In response to adem_netsys

Created on ‎12-22-2023 01:02 AM

Hi Adem, What do you want to alert on? If a user if connected to the VPN for X time?

 

If you can share some sample logs, then I can check how to do this.

958
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.