Help
FortiSIEM Discussions
adem_netsys
Contributor

Created on ‎12-19-2023 08:21 AM

FortiSIEM:Firewall Policy Report

Hi,

I want to create a report of the rules and objects created/deleted on the firewall. As far as I can see, there is no such report in the default. When I say manual for Fortigate, it does not send a distinctive log (such as policy created) Has anyone experienced this?

Labels:
553
0 Kudos
6 REPLIES 6
Secusaurus
Contributor

Created on ‎12-19-2023 11:19 PM

Hi adem_netsys,

 

The according log (via syslog) gets the event type "FortiGate-event-config-object-attribute-message". The Firewall Action will be "Add"/"Delete", the Object Path will describe the distinct change, in your case probably "firewall.policy". In the "User defined msg", there will be the full description of the change on which you can filter, if you like.

 

So, for auditing, you will need to build a report based on this information manually.

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
535
adem_netsys
Contributor
In response to Secusaurus

Created on ‎12-20-2023 12:49 AM

Hi @Secusaurus,

Thank you for your reply. Well, how will this situation be for Palo Alto because it may be necessary to explain this correctly to the customer.

525
0 Kudos
Secusaurus
Contributor
In response to adem_netsys

Created on ‎12-20-2023 02:13 AM

Hi adem_netsys,

 

Unfortunately, I do not have a Palo Alto FW in our lab for looking up these logs. I would expect these logs to be found somewhere here:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslo...

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
516
adem_netsys
Contributor
In response to Secusaurus

Created on ‎12-20-2023 03:42 AM

Thank you all of them

511
0 Kudos
adem_netsys
Contributor
In response to Secusaurus

Created on ‎12-20-2023 04:35 AM

@Secusaurus 

 

Not a topic here, but you may have come across it. I am getting esx logs and observing the device status in Siem. I have previously taken the logs that came to the supervisor to the collector and rediscovered them, but after that the device information started to return empty (memory, cpu, etc.), what could be the cause?
I know FortiAnalyzer can parse this, if it can, perhaps you could try sending this information to SIEM via a separate event each time a user disconnects?

 

506
FSM_FTNT
Staff
Staff
In response to adem_netsys

Created on ‎12-22-2023 12:51 AM

Hi, not sure I follow this last question. What logs are you trying to parser?

489
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.