Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rezafathi
Contributor II

Created on ‎05-30-2024 01:41 AM

Fortianalyzer event handler

Hi

I have created an event handler on FAZ to identify which IP is trying to download the virus and then created a stich on FGT to ban ip of that user, but it does not work when i try to downloaf eicar test virus. The screenshot is my FAZ configuration. Thanks.

 

1000085397.jpg

Reza F.
Reza F.
Labels:
488
0 Kudos
10 REPLIES 10
ozkanaltas
Valued Contributor II

Created on ‎05-30-2024 01:50 AM

Hello @rezafathi ,

 

When you download the eicar test file, is the log created on FortiAnalyzer or not? 

 

If you say yes, is this log id the same as "0211008192" or not? 

 

Also, can you share the automation stitch configuration with us?

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
421
rezafathi
Contributor II
In response to ozkanaltas

Created on ‎05-30-2024 06:26 AM

Hi

Yes logs is created. And logid is same.

 

1000085435.jpg

Reza F.
Reza F.
395
0 Kudos
ozkanaltas
Valued Contributor II
In response to rezafathi

Created on ‎05-30-2024 06:58 AM

Hello @rezafathi ,

 

Do you see any count on the Event Handler Events column? 

 

image.png

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
385
rezafathi
Contributor II
In response to ozkanaltas

Created on ‎05-30-2024 07:00 AM

Yes

Reza F.
Reza F.
381
0 Kudos
ozkanaltas
Valued Contributor II
In response to rezafathi

Created on ‎05-30-2024 08:23 AM

Hello @rezafathi ,

 

Do you see the trigger count on your FortiGate?

 

image.png

 

Also, can you check the ban status with this command? 

 

diagnose user banned-ip list

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
373
0 Kudos
rezafathi
Contributor II
In response to ozkanaltas

Created on ‎05-30-2024 10:00 AM

Yes i see trigger count. And I checked the command but no ip ban.

Reza F.
Reza F.
365
0 Kudos
ozkanaltas
Valued Contributor II
In response to rezafathi

Created on ‎05-30-2024 10:07 AM

Hi @rezafathi ,

 

That interesting. I tried same scnerio on my lab environment, everything works well.

 

Maybe someone faced with this issue. Also, if you have a active license you can create a case to fortinet support. Support engineer will inspect problem deeply.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
357
0 Kudos
rezafathi
Contributor II
In response to ozkanaltas

Created on ‎06-05-2024 03:19 AM

Hi

I do not see any trigger count on fortigate. Should i enable central management on fortigate? Because it is disabled.

Reza F.
Reza F.
215
0 Kudos
ozkanaltas
Valued Contributor II
In response to rezafathi

Created on ‎06-05-2024 03:56 AM

Hi @rezafathi ,

 

Ne needs central management configuration. Maybe reconfiguring eventhandler and automation can solve the problem.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
211
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.