[FortiSIEM]Default report to meet Fortigate VPN User Logon

Bruce7x2 · ‎12-04-2023

Dear Team,

I would like to know whether there's a report to show me the login status(Success/Failure) of the VPN User via FortiGate.

If FortiSIEM has any Default Report Template can meet this. Or I can clone an existing report and then modify it to meet the above description.

Thank you ~

Bruce Liu

FSM_FTNT · ‎12-04-2023

Bruce,

There are a variety of VPN authentication reports available, all can be customised.

Go to Resource / Reports and search for VPN, you will see several examples.

I am attaching a report that provides "Failed and Successful VPN Logon by Type, Source IP and User". To use it, go to Resources / Reports / Frequently Used folder or another folder you want to save it in.

Then click the more button and then Import. You can then run the report as needed.

View solution in original post

premchanderr · ‎12-04-2023

Hi Bruce,

There is no default rules specific to VPN logon, but generic login is available.

If firewall sends traffic related to VPN then you can tweak the parser for it and create own custom rules.

You would need to analyze the events in GUI by using filter such as Raw Event Log contains "Username" .

Regards,
Prem Chander R

FSM_FTNT · ‎12-04-2023

Bruce,

There are a variety of VPN authentication reports available, all can be customised.

Go to Resource / Reports and search for VPN, you will see several examples.

I am attaching a report that provides "Failed and Successful VPN Logon by Type, Source IP and User". To use it, go to Resources / Reports / Frequently Used folder or another folder you want to save it in.

Then click the more button and then Import. You can then run the report as needed.

adem_netsys · ‎12-20-2023

Hi @Bruce7x2 @FSM_FTNT

How can I create the duration of the users here?

Secusaurus · ‎12-20-2023

Hi adem_netsys,

Regarding FortiGate, unfortunately I cannot see this exact information in the logs. There is a log "statistics" that lists the sent & received bytes, but not the full duration.

Grouping by user and checking the last log against the first log (subtracting the timestamps) could do the trick, but if a user signed in and out multiple times, you would not draw the correct picture.

I know that the FortiAnalyzer can parse that. If you've got one, perhaps you can try to send over this information to the SIEM via individual event every time a user disconnects?

Other vendors may have this information in their statistics, but I only got FortiGates here where I can check on that question.

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner

adem_netsys · ‎12-20-2023

Hi Christian,

Obviously, I want to do this on pulse. I saw duration in the pulse logs, but as you said, this was not a real duration time, interruptions, disconnections do not give an accurate result. I would expect this to be in the default rules.

FSM_FTNT · ‎12-22-2023

Hi Adem, What do you want to alert on? If a user if connected to the VPN for X time?

If you can share some sample logs, then I can check how to do this.