Hello @Secusaurus thank you for reply.

1. The events logs are not followed on FSIEM, each fortigate uses syslogs to sends a lot so they arrive between ips, generic, ipsec .... 

2. I'm not using FAC for MFA, I just using the local users on Fortigate with tokens on email.

3. If I use a local database of users to validate, this will not detect a login without token when the ssl-vpn get exploited from some future bug.

Regards.

Hello @gwaihir,

Thanks for the input. I've looked up the logs created for one of our customers on FSM. Unfortunately, I agree, this is not very clear here. If it does not send out push notifications (as in your case), you cannot see if it's using MFA at all.

I can see very clear logs for that on a FAC, but not on a FortiGate if that's the only device.

You might want to try to use the "AND" operator for these two subpatterns. This will look for the one event (tunnel up), find more than one for a user in the time frame and then requires the rule to find the other event (fortitoken push) on the other pattern in the same time frame. Connecting the user, remote ip and reporting device should link these logs properly.

Regarding your concerns about (3): I am not quite sure if the ssl vulnerability enabled users to logon without tokens. I would assume that there needs to be a config change before that which would have caused an incident hours or days before this user logs on.

Also note, that SSL-VPN is not recommended anymore on FortiGates and you should consider moving to ZTNA or IPSec (there is a IPSec over TCP/443 option starting in v7.4, which is mature already - it's just that the FortiClient for that is not finished yet).

Best,

Christian