- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Implicit policy remediation with help of FAZ reporting
Hello,
I have an FortiGate with an implicit allow all policy:
ANY srcintf to ANY dstintf with ALL sources to ALL dest and ALL services.
I am looking for a way to leverage FortiAnalyzer to extract unique connections, and based on that create explicit firewall policies above.
Any ideas on how to use the reporting feature in FAZ?
Thank you!
Cosmin
- Labels:
-
FortiAnalyzer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The reports are made to summarize. Instead use the LogView and Download option there.
Best,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey atos_network,
I'm not sure what FortiGate firmware version you have, but you could check out the Learn Mode option (this requires both FortiAnalyzer AND FortiManager):
- If the FortiGate (or specific VDOM) is in NGFW mode (policy-based instead of profile-based), then you can enable the learn mode in policies
- this essentially allows all traffic and monitors everything
- this feeds logs to FortiAnalyzer
- FortiManager Policy Analyzer collects the logs from FortiAnalyzer to provide analyse and provide policy recommendations
Learn Mode on FortiGate:
https://docs.fortinet.com/document/fortigate/7.4.6/administration-guide/243446/ngfw-policy#Introduce...
If you don't have a FortiManager, depending on your FortiGate firmware version (and if it has disk logging and reporting enabled), you should be able to generate a 'Learning Report' locally.
Is this at least in the direction you're looking for advice?
Regarding reporting on FortiAnalyzer, in principle FortiAnalyzer CAN provide an overview of whatever is logged on the FortiGate. The question is what you mean with 'unique connections'.
You could simply create a report that shows you every single traffic session, or a report that shows you unique source/destination IPs and how many sessions each saw, or you could use one of the webfilter/bandwidth reports to get an overview of what domains saw the most traffic, etc.
A more detailed outline of what you want to see on the report would be helpful :)
Cheers,
Debbie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thank you for you reply.
I will look into the FAZ-FM-FG combination for Learn Mode option, that sounds like the automatic way to do what I am trying to achieve.
Basically I am looking to extract rows with 3-tuple (srcip/dstip/dstport) from the policy.