Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Hörtnagl
New Contributor

Honeypot - send alert if policy ID is hit

Hello community,

I need some help configuring an alert for a specific policy ID on my FortiGate device. I have a local honeypot (in VDOM) and an IP blacklist of known command and control sites (updated every 30 minutes).
When these policyID's get ANY traffic, I want to get an alert via email or ideally a Teams webhook.
Does anyone know how to do this using FortiGate, (free) FortiAnalyzer or Cloud?


I have searched the documentation but haven't found a clear answer.
Any help would be greatly appreciated. Thanks in advance.

8 REPLIES 8
gfleming
Staff
Staff

If that's the only DENY policy in the VDOM you could do this with the Traffic Violation trigger in Security Fabric Automation Stitches

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/43081/triggers

Cheers,
Graham
Hörtnagl

This is not possible. We have 3 firewalls (2 Vdom's each). We only want to get an email for specific rules, the other deny rules are there but we only need the logs for forensic purposes.

gfleming

Oh somehow I missed you were using FAZ. You can create a custom event handler for any logs that come up for that policy (filter by policy ID).

 

https://docs.fortinet.com/document/fortianalyzer/7.2.2/administration-guide/348606/creating-a-custom...

 

That should work just fine for what you want.

Cheers,
Graham
Hörtnagl

THX Graham
I tried that but I did not manage to create an event hit
But this looks definetly the most promising.
Data Selector: Set a Filter Logdevice=Fortigate, Type=Any, Subtype=Any, Logfield=Policyid equal 213 (for testing 213 writes a log everytime I ping 1.1.1.1)

Hörtnagl

BTW
if the FW rule is "accept" I get a mail after a few minutes (=event handler works)
but if I try it with a "deny" the event handler does not get triggered

gfleming

I assume you have logging enabled on the policy even when its in deny mode?

 

Do you see the logs in FAZ for the denies?

Cheers,
Graham
Hörtnagl

Yes - loggin is on and I can see Firewall Action "deny" entries in FAZ

gfleming

Interesting. I assume your event handler is enabled?

 

do you see the events being generated in the Event Monitor?

 

Can you show the configuration for your event handler?

Cheers,
Graham
Labels
Top Kudoed Authors