What filters need to be enabled to transfer the source IP address devname = "device_fortigate" on log forwarding?
logver = 604145463 timestamp = 1705406294 devname = "device_fortigate" devid = "FG" vd = "root" date = 2024 - 01 - 16 time = 14: 58: 14 eventtime = 1705406295007253541 tz = "" logid = "15010500" type = "utm" subtype = "dns" eventtype = "dns-response" level = "warning" policyid = 459 sessionid = 1734461551 srcip = IP srcport = srcintf = "DMZ01" srcintfrole = "dmz" dstip = IP dstport = dstintf = "DC-Transport" dstintfrole = "lan" proto = 17 profile = "DNS-Log" xid = 25739 qname = "" qtype = "A" qtypeval = 1 qclass = "IN" ipaddr = "127.0.0.1" msg = "A rating error occurs" action = "pass" cat = 255 catdesc = "Unknown" error = "no available Fortiguard SDNS servers"
Solved! Go to Solution.
Hi @VasilyZaycev.
Using the following commands on the FortiAnalyzer, will allow the event to retain its original source IP
config system log-forward
edit <id>
set fwd-log-source-ip original_ip
next
end
I hope that helps!
end
Hi,
If you are referring to log forwarding for a specific device, you can enable Device Filters and select the specific device under Log Forwarding Filters.
I mean the device name also had information about its ip
Hi @VasilyZaycev.
Using the following commands on the FortiAnalyzer, will allow the event to retain its original source IP
config system log-forward
edit <id>
set fwd-log-source-ip original_ip
next
end
I hope that helps!
end
Thank you!
And this command also needs to be applied end device Fotigate or enough on the collector fortianalyzer ?
Its a FortiAnalyzer only command. It will spoof the source IP address of the event. FortiSIEM thinks that the event arrived directly from the firewall. therefore the reporting IP will be the original IP. It does not add/change the raw event.
Thank you! I'll come back with feedback after the test!
Thank you @Richie_C ! it works!
Thanks for letting us know.
Thanks
Hi VasilyZaycev,
Can tell me in this case, how many licence you need ? ( number of firewalls or juste 1 device(FortiAnalyser)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.