Fortinet black logo

New Features

Event Handler - Common Address Table for Inclusion / Exclusion

Copy Link
Copy Doc ID bc40d227-4cc1-11e9-94bf-00505692583a:549108
Download PDF

Event Handler - Common Address Table for Inclusion / Exclusion

To streamline SOC processes, a new subnet table has been added to the Event Monitor to allow blacklist or whitelist addresses to be defined. These addresses can be linked to any event handlers to include or exclude them from triggering. This avoids the need to specify common networks in every event handler.

Subnet inclusion and exclusion in event handlers is supported in FortiGate, FortiWeb, FortiMail, and Fabric ADOMs.

To create a subnet:
  1. Go to Incidents & Events > Subnet List.
  2. Select Create New > Subnet.

  3. Enter a name for the subnet.
  4. Select a Subnet type and configure the corresponding information.
    Subnet types include:
    • Subnet Notation

    • IP Range

    • Batch Add

  5. Select OK.
To create a subnet group:
  1. Go to Incidents & Events > Subnet List.
  2. Select Create New > Subnet Group.
  3. Enter a name for the subnet group.
  4. Select the subnet entries to be included in the group.

  5. Select OK.
To include or exclude subnets in an event handler:
  1. Go to Incidents & Events > Event Handler List.
  2. Select an event handler to edit from the list, or select Create New.
  3. In the Subnets category, select Specify.
  4. Choose which subnets are included or excluded by selecting them from the corresponding dropdown menu.

  5. Select OK.
    • In the example below, one set of logs has the source IP address 172.16.81.26 which falls into both the Include and Exclude range (172.16.81.20-30). Because the Exclude range takes priority, no events are generated. The second set of logs has the source IP address 172.16.81.33 which falls into the Include range and not the Exclude range, so events are generated.

    • You can drilldown on the event for additional log details.


To check the configuration of the handler in the CLI:
  1. Use the following CLI command to check the newly created handler configurations:
    diagnose test application sqllogd 200 config handler=name
  2. Below is an example of the results you will see:
    * Enabled handlers in Adom root [3] is 9:
    ----------------------------------------
    Handler Name   : 1
    Handler Type   : Local
    Subject        :
    Subject Parsed : app:%s (type 1)
    Event Status   :  (0)
    Tag            :
    Meta Info      : objver=4 timestamp=0
    Device Type    : FortiGate
    Log Type       : traffic
    Event Type     : traffic
    Groupby1       : cfg=app          run=app, type=0
    Groupby2       : cfg=             run=dvid, type=1
    Severity       : medium
    Thres cnt, dura: 1 in 30 mins, per-log-alert=No
    Log chk/hit    : 2/1
    device specify : all-devices
    N devices      : 1, dev-filters=0
        All_FortiGate (all_devices)
    N rules        : 1
        pri >= 6(integer)
    criteria       : ( pri<=6 )
    filterkey      : 16096584147921068432
    sqlfilter      : ( (level="information" OR level="notice" OR level="warning" OR level="error" OR level="critical" OR level="alert" OR level="emergency") )
    
    ipv4 include   : ((srcip>='172.16.81.0' AND srcip<='172.16.81.255') OR (srcip>='172.16.81.0' AND srcip<='172.16.81.255'))
    
    ipv4 exclude   : ((srcip>='172.16.81.20' AND srcip<='172.16.81.30') OR (srcip>='172.16.81.20' AND srcip<='172.16.81.30'))
    
    addr sql filter: ((srcip>='172.16.81.0' AND srcip<='172.16.81.255') OR (srcip>='172.16.81.0' AND srcip<='172.16.81.255')) AND ( NOT ((srcip>='172.16.81.20' AND
    srcip<='172.16.81.30') OR (srcip>='172.16.81.20' AND srcip<='172.16.81.30')))
    
    * Enabled handlers in Adom root [3] is 9.
    
    FAZVM64 #

More Links

Event Handler - Common Address Table for Inclusion / Exclusion

To streamline SOC processes, a new subnet table has been added to the Event Monitor to allow blacklist or whitelist addresses to be defined. These addresses can be linked to any event handlers to include or exclude them from triggering. This avoids the need to specify common networks in every event handler.

Subnet inclusion and exclusion in event handlers is supported in FortiGate, FortiWeb, FortiMail, and Fabric ADOMs.

To create a subnet:
  1. Go to Incidents & Events > Subnet List.
  2. Select Create New > Subnet.

  3. Enter a name for the subnet.
  4. Select a Subnet type and configure the corresponding information.
    Subnet types include:
    • Subnet Notation

    • IP Range

    • Batch Add

  5. Select OK.
To create a subnet group:
  1. Go to Incidents & Events > Subnet List.
  2. Select Create New > Subnet Group.
  3. Enter a name for the subnet group.
  4. Select the subnet entries to be included in the group.

  5. Select OK.
To include or exclude subnets in an event handler:
  1. Go to Incidents & Events > Event Handler List.
  2. Select an event handler to edit from the list, or select Create New.
  3. In the Subnets category, select Specify.
  4. Choose which subnets are included or excluded by selecting them from the corresponding dropdown menu.

  5. Select OK.
    • In the example below, one set of logs has the source IP address 172.16.81.26 which falls into both the Include and Exclude range (172.16.81.20-30). Because the Exclude range takes priority, no events are generated. The second set of logs has the source IP address 172.16.81.33 which falls into the Include range and not the Exclude range, so events are generated.

    • You can drilldown on the event for additional log details.


To check the configuration of the handler in the CLI:
  1. Use the following CLI command to check the newly created handler configurations:
    diagnose test application sqllogd 200 config handler=name
  2. Below is an example of the results you will see:
    * Enabled handlers in Adom root [3] is 9:
    ----------------------------------------
    Handler Name   : 1
    Handler Type   : Local
    Subject        :
    Subject Parsed : app:%s (type 1)
    Event Status   :  (0)
    Tag            :
    Meta Info      : objver=4 timestamp=0
    Device Type    : FortiGate
    Log Type       : traffic
    Event Type     : traffic
    Groupby1       : cfg=app          run=app, type=0
    Groupby2       : cfg=             run=dvid, type=1
    Severity       : medium
    Thres cnt, dura: 1 in 30 mins, per-log-alert=No
    Log chk/hit    : 2/1
    device specify : all-devices
    N devices      : 1, dev-filters=0
        All_FortiGate (all_devices)
    N rules        : 1
        pri >= 6(integer)
    criteria       : ( pri<=6 )
    filterkey      : 16096584147921068432
    sqlfilter      : ( (level="information" OR level="notice" OR level="warning" OR level="error" OR level="critical" OR level="alert" OR level="emergency") )
    
    ipv4 include   : ((srcip>='172.16.81.0' AND srcip<='172.16.81.255') OR (srcip>='172.16.81.0' AND srcip<='172.16.81.255'))
    
    ipv4 exclude   : ((srcip>='172.16.81.20' AND srcip<='172.16.81.30') OR (srcip>='172.16.81.20' AND srcip<='172.16.81.30'))
    
    addr sql filter: ((srcip>='172.16.81.0' AND srcip<='172.16.81.255') OR (srcip>='172.16.81.0' AND srcip<='172.16.81.255')) AND ( NOT ((srcip>='172.16.81.20' AND
    srcip<='172.16.81.30') OR (srcip>='172.16.81.20' AND srcip<='172.16.81.30')))
    
    * Enabled handlers in Adom root [3] is 9.
    
    FAZVM64 #