Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 5.3.0 External Systems Configuration Guide
    5.3.0
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    Cisco Application Centric Infrastructure (ACI)

    Cisco Application Centric Infrastructure (ACI)

    What is Discovered and Monitored

    Protocol Information Discovered Metrics Collected Used For
    Cisco APIC API (REST) Overall Health, Tenant Health, Node Health, Cluster Health, Application Health, EPG health, Fault Record, Event record, Log Record, Configuration Change Availability and Performance Monitoring

    Event Types

    Go to ADMIN > Device Support > Event and search for "Cisco_ACI".

    Rules

    Go to RESOURCE > Rules and search for "Cisco ACI".

    Reports

    Go to RESOURCE > Reports and search for "Cisco ACI".

    Configuration

    Cisco ACI Configuration

    Please configure Cisco ACI Appliance so that FortiSIEM can access it via APIC API.

    FortiSIEM Configuration

    1. Go to ADMIN > Setup > Credentials
    2. In Step 1: Enter Credentials, click New and create a credential.

      SettingsDescription
      NameEnter a name for the credential.
      Device TypeCISCO CISCO ACI
      Access ProtocolCisco APIC API
      Pull Interval5 minutes
      Port443
      Password configSee Password Configuration
      User NameUser name for device access
      PasswordPassword for the various REST APIs
      DescriptionPassword for the various REST APIs
    3. In Step 2: Enter IP Range to Credential Associations click New and create the association.
      1. IP - specify the IP address of the ACI Controller
      2. Credential - specify the Name as in 2a
    4. Test Connectivity - Run Test Connectivity with or without ping and make sure the test succeeds
    5. Check Pull Events tab to make sure that a event pulling entry is created

    Sample Events

    Overall Health Event 
    [Cisco_ACI_Overall_Health]: {"attributes":{"childAction":"","cnt":"29","dn":"topology/HDfabricOverallHealth5min0","healthAvg":"82","healthMax":"89",
    "healthMin":"0","healthSpct":"0","healthThr":"","healthTr":"1","index":"0","lastCollOffset":"290","repIntvEnd":"2016-09-05T08:13:53.232+00:00","repIntvStart":"2016-09-05T08:09:03.128+00:00","status":""}}
    Tenant Health Event 
    [Cisco_ACI_Tenant_Health]: {"attributes":{"childAction":"","descr":"","dn":"uni/tn-CliQr","lcOwn":"local","modTs":"2016-09-05T07:56:27.164+00:00","monPolDn":"uni/tn-common/monepg-default","name":"CliQr","ownerKey":"","ownerTag":"","status":"","uid":"15374"},"children":[{"healthInst":{"attributes":{"childAction":"","chng":"0","cur":"100","maxSev":"cleared","prev":"100","rn":"health","status":"",
    "twScore":"100","updTs":"2016-09-05T08:27:03.584+00:00"}}}]
    Nodes Health Event 
    [Cisco_ACI_Node_Health]: {"attributes":{"address":"10.0.208.95","childAction":"","configIssues":"","currentTime":"2016-09-05T08:15:51.794+00:00","dn":"topology/pod-1/node-101/sys","fabricId":"1","fabricMAC":"00:22:BD:F8:19:FF","id":"101","inbMgmtAddr":"0.0.0.0",
    "inbMgmtAddr6":"0.0.0.0","lcOwn":"local","modTs":"2016-09-05T07:57:29.435+00:00",
    "mode":"unspecified","monPolDn":"uni/fabric/monfab-default","name":"Leaf1","oobMgmtAddr":"0.0.0.0","oobMgmtAddr6":"0.0.0.0","podId":"1","role"
    :"leaf","serial":"TEP-1-101","state":"in-service","status":"","systemUpTime":"00:00:27:05.000"},"children":[{"healthInst":{"attributes":{"childAction":"","chng":"-10","cur":"90","maxSev":"cleared","prev":"100","rn":"health","status":"","twScore":"90","updTs":"2016-09-05T07:50:08.415+00:00"}}}]
    Cluster Health Event
    [Cisco_ACI_Cluster_Health]: {"attributes":{"addr":"10.0.0.1","adminSt":"in-service","chassis":"10220833-ea00-3bb3-93b2-ef1e7e645889","childAction":"","cntrlSbstState":"approved","dn":"topology/pod-1/node-1/av/node-1","health":"fully-fit","id":"1","lcOwn":"local","mbSn":"TEP-1-1","modTs":"2016-09-05T08:00:46.797+00:00","monPolDn":"","mutnTs":"2016-09-05T07:50:19.570+00:00","name":"","nodeName":"apic1","operSt":"available","status":"","uid":"0"}
    Application Health Event 
    [Cisco_ACI_Application_Health]: {"attributes":{"childAction":"","descr":"","dn":"uni/tn-infra/ap-access","lcOwn":"local","modTs":"2016-09-07T08:17:20.503+00:00","monPolDn":"uni/tn-common/monepg-default","name":"access","ownerKey":"","ownerTag":"","prio":"unspecified","status":"","uid":"0"},
    "children":[{"healthInst":{"attributes":{"childAction":"","chng":"0","cur":"100","maxSev":"cleared","prev":"100","rn":"health","status":"","twScore":
    "100","updTs":"2016-09-07T08:39:35.531+00:00"}}}]}
    EPG Health Event 
    [Cisco_ACI_EPG_Health]: {"attributes":{"childAction":"","configIssues":"","configSt":"applied","descr":"","dn":"uni/tn-infra/ap-access/epg-default","isAttrBasedEPg":"no","lcOwn":"local","matchT":"AtleastOne","modTs":"2016-09-07T08:17:20.503+00:00","monPolDn":"uni/tn-common/monepg-default","name":"default","pcEnfPref":"unenforced","pcTag":"16386","prio":"unspecified",
    "scope":"16777199","status":"","triggerSt":"triggerable","txId":"5764607523034234882","uid":"0"},"children":[{"healthInst":{"attributes":{"childAction":"","chng":"0","cur":"100","maxSev":"cleared","prev":"100","rn":"health","status":"",
    "twScore":"100","updTs":"2016-09-07T08:39:35.549+00:00"}}}]
    Fault Record Event 
    [Cisco_ACI_Fault_Record]: ,"created":"2016-09-05T08:00:41.313+00:00","delegated":"no","delegatedFrom":"","descr":
    "Controller3isunhealthybecause:DataLayerPartiallyDegradedLeadership","dn":"subj-[topology/pod-1/node-1/av/node-3]/fr-4294967583","domain":"infra","highestSeverity":"critical","id":"4294967583","ind":"modification",
    "lc":"soaking","modTs":"never","occur":"1","origSeverity":"critical","prevSeverity":"critical",
    "rule":"infra-wi-node-health","severity":"critical","status":"","subject":"controller","type":"operational"}
    Event Record Event 
    [Cisco_ACI_Event_Record]: {"attributes":{"affected":"topology/pod-1/node-2/lon/svc-ifc_dhcpd","cause":"state-change","changeSet":"id:ifc_dhcpd,leCnnct:undefined,leNonOptCnt:undefined,leNotCnnct:undefined,name:ifc_dhcpd","childAction":"","code":"E4204979","created":"2016-09-05T07:57:37.024+00:00","descr":"Allshardsofserviceifc_dhcpdhaveconnectivitytotheleaderreplicaintheCluster.","dn":"subj-[topology/pod-1/node-2/lon/svc-ifc_dhcpd]/rec-8589934722","id":"8589934722","ind":"state-transition","modTs":"never","severity":"info","status":"","trig":"oper","txId":
    "18374686479671623682","user":"internal"}
    Log Record Event 
    [Cisco_ACI_Log_Record]: {"attributes":{"affected":"uni/userext/user-admin","cause":"unknown","changeSet":"","childAction":"","clientTag":"","code":"generic","created"
    :"2016-09-05T07:56:25.825+00:00","descr":"From-198.18.134.150-client-type-REST-
    Success","dn":"subj-[uni/userext/user-admin]/sess-4294967297","id":"4294967297","ind":"special","modTs":"never","severity":"info","status":"","systemId":"1","trig":
    "login,session","txId":"0","user":"admin"}
    Configuration Change Event 
    [Cisco_ACI_Configuration_Chang]: {"attributes":{"affected":"uni/tn-CliQr/out-CliQr-Prod-L3Out/instP-CliQr-Prod-L3Out-EPG/rscustQosPol","cause":"transition","changeSet":"","childAction":"","clientTag":"","code":"E4206266",
    "created":"2016-09-05T07:56:27.099+00:00","descr":"RsCustQosPolcreated","dn":"subj-[uni/tn-CliQr/out-CliQr-Prod-L3Out/instP-CliQr-Prod-L3Out-EPG/rscustQosPol]/mod-4294967308","id":"4294967308","ind":"creation","modTs":"never","severity":"info","status":"","trig":"config","txId":
    "7493989779944505526","user":"admin"}}

    Previous
    Next

    Cisco Application Centric Infrastructure (ACI)

    Cisco Application Centric Infrastructure (ACI)

    What is Discovered and Monitored

    Protocol Information Discovered Metrics Collected Used For
    Cisco APIC API (REST) Overall Health, Tenant Health, Node Health, Cluster Health, Application Health, EPG health, Fault Record, Event record, Log Record, Configuration Change Availability and Performance Monitoring

    Event Types

    Go to ADMIN > Device Support > Event and search for "Cisco_ACI".

    Rules

    Go to RESOURCE > Rules and search for "Cisco ACI".

    Reports

    Go to RESOURCE > Reports and search for "Cisco ACI".

    Configuration

    Cisco ACI Configuration

    Please configure Cisco ACI Appliance so that FortiSIEM can access it via APIC API.

    FortiSIEM Configuration

    1. Go to ADMIN > Setup > Credentials
    2. In Step 1: Enter Credentials, click New and create a credential.

      SettingsDescription
      NameEnter a name for the credential.
      Device TypeCISCO CISCO ACI
      Access ProtocolCisco APIC API
      Pull Interval5 minutes
      Port443
      Password configSee Password Configuration
      User NameUser name for device access
      PasswordPassword for the various REST APIs
      DescriptionPassword for the various REST APIs
    3. In Step 2: Enter IP Range to Credential Associations click New and create the association.
      1. IP - specify the IP address of the ACI Controller
      2. Credential - specify the Name as in 2a
    4. Test Connectivity - Run Test Connectivity with or without ping and make sure the test succeeds
    5. Check Pull Events tab to make sure that a event pulling entry is created

    Sample Events

    Overall Health Event 
    [Cisco_ACI_Overall_Health]: {"attributes":{"childAction":"","cnt":"29","dn":"topology/HDfabricOverallHealth5min0","healthAvg":"82","healthMax":"89",
    "healthMin":"0","healthSpct":"0","healthThr":"","healthTr":"1","index":"0","lastCollOffset":"290","repIntvEnd":"2016-09-05T08:13:53.232+00:00","repIntvStart":"2016-09-05T08:09:03.128+00:00","status":""}}
    Tenant Health Event 
    [Cisco_ACI_Tenant_Health]: {"attributes":{"childAction":"","descr":"","dn":"uni/tn-CliQr","lcOwn":"local","modTs":"2016-09-05T07:56:27.164+00:00","monPolDn":"uni/tn-common/monepg-default","name":"CliQr","ownerKey":"","ownerTag":"","status":"","uid":"15374"},"children":[{"healthInst":{"attributes":{"childAction":"","chng":"0","cur":"100","maxSev":"cleared","prev":"100","rn":"health","status":"",
    "twScore":"100","updTs":"2016-09-05T08:27:03.584+00:00"}}}]
    Nodes Health Event 
    [Cisco_ACI_Node_Health]: {"attributes":{"address":"10.0.208.95","childAction":"","configIssues":"","currentTime":"2016-09-05T08:15:51.794+00:00","dn":"topology/pod-1/node-101/sys","fabricId":"1","fabricMAC":"00:22:BD:F8:19:FF","id":"101","inbMgmtAddr":"0.0.0.0",
    "inbMgmtAddr6":"0.0.0.0","lcOwn":"local","modTs":"2016-09-05T07:57:29.435+00:00",
    "mode":"unspecified","monPolDn":"uni/fabric/monfab-default","name":"Leaf1","oobMgmtAddr":"0.0.0.0","oobMgmtAddr6":"0.0.0.0","podId":"1","role"
    :"leaf","serial":"TEP-1-101","state":"in-service","status":"","systemUpTime":"00:00:27:05.000"},"children":[{"healthInst":{"attributes":{"childAction":"","chng":"-10","cur":"90","maxSev":"cleared","prev":"100","rn":"health","status":"","twScore":"90","updTs":"2016-09-05T07:50:08.415+00:00"}}}]
    Cluster Health Event
    [Cisco_ACI_Cluster_Health]: {"attributes":{"addr":"10.0.0.1","adminSt":"in-service","chassis":"10220833-ea00-3bb3-93b2-ef1e7e645889","childAction":"","cntrlSbstState":"approved","dn":"topology/pod-1/node-1/av/node-1","health":"fully-fit","id":"1","lcOwn":"local","mbSn":"TEP-1-1","modTs":"2016-09-05T08:00:46.797+00:00","monPolDn":"","mutnTs":"2016-09-05T07:50:19.570+00:00","name":"","nodeName":"apic1","operSt":"available","status":"","uid":"0"}
    Application Health Event 
    [Cisco_ACI_Application_Health]: {"attributes":{"childAction":"","descr":"","dn":"uni/tn-infra/ap-access","lcOwn":"local","modTs":"2016-09-07T08:17:20.503+00:00","monPolDn":"uni/tn-common/monepg-default","name":"access","ownerKey":"","ownerTag":"","prio":"unspecified","status":"","uid":"0"},
    "children":[{"healthInst":{"attributes":{"childAction":"","chng":"0","cur":"100","maxSev":"cleared","prev":"100","rn":"health","status":"","twScore":
    "100","updTs":"2016-09-07T08:39:35.531+00:00"}}}]}
    EPG Health Event 
    [Cisco_ACI_EPG_Health]: {"attributes":{"childAction":"","configIssues":"","configSt":"applied","descr":"","dn":"uni/tn-infra/ap-access/epg-default","isAttrBasedEPg":"no","lcOwn":"local","matchT":"AtleastOne","modTs":"2016-09-07T08:17:20.503+00:00","monPolDn":"uni/tn-common/monepg-default","name":"default","pcEnfPref":"unenforced","pcTag":"16386","prio":"unspecified",
    "scope":"16777199","status":"","triggerSt":"triggerable","txId":"5764607523034234882","uid":"0"},"children":[{"healthInst":{"attributes":{"childAction":"","chng":"0","cur":"100","maxSev":"cleared","prev":"100","rn":"health","status":"",
    "twScore":"100","updTs":"2016-09-07T08:39:35.549+00:00"}}}]
    Fault Record Event 
    [Cisco_ACI_Fault_Record]: ,"created":"2016-09-05T08:00:41.313+00:00","delegated":"no","delegatedFrom":"","descr":
    "Controller3isunhealthybecause:DataLayerPartiallyDegradedLeadership","dn":"subj-[topology/pod-1/node-1/av/node-3]/fr-4294967583","domain":"infra","highestSeverity":"critical","id":"4294967583","ind":"modification",
    "lc":"soaking","modTs":"never","occur":"1","origSeverity":"critical","prevSeverity":"critical",
    "rule":"infra-wi-node-health","severity":"critical","status":"","subject":"controller","type":"operational"}
    Event Record Event 
    [Cisco_ACI_Event_Record]: {"attributes":{"affected":"topology/pod-1/node-2/lon/svc-ifc_dhcpd","cause":"state-change","changeSet":"id:ifc_dhcpd,leCnnct:undefined,leNonOptCnt:undefined,leNotCnnct:undefined,name:ifc_dhcpd","childAction":"","code":"E4204979","created":"2016-09-05T07:57:37.024+00:00","descr":"Allshardsofserviceifc_dhcpdhaveconnectivitytotheleaderreplicaintheCluster.","dn":"subj-[topology/pod-1/node-2/lon/svc-ifc_dhcpd]/rec-8589934722","id":"8589934722","ind":"state-transition","modTs":"never","severity":"info","status":"","trig":"oper","txId":
    "18374686479671623682","user":"internal"}
    Log Record Event 
    [Cisco_ACI_Log_Record]: {"attributes":{"affected":"uni/userext/user-admin","cause":"unknown","changeSet":"","childAction":"","clientTag":"","code":"generic","created"
    :"2016-09-05T07:56:25.825+00:00","descr":"From-198.18.134.150-client-type-REST-
    Success","dn":"subj-[uni/userext/user-admin]/sess-4294967297","id":"4294967297","ind":"special","modTs":"never","severity":"info","status":"","systemId":"1","trig":
    "login,session","txId":"0","user":"admin"}
    Configuration Change Event 
    [Cisco_ACI_Configuration_Chang]: {"attributes":{"affected":"uni/tn-CliQr/out-CliQr-Prod-L3Out/instP-CliQr-Prod-L3Out-EPG/rscustQosPol","cause":"transition","changeSet":"","childAction":"","clientTag":"","code":"E4206266",
    "created":"2016-09-05T07:56:27.099+00:00","descr":"RsCustQosPolcreated","dn":"subj-[uni/tn-CliQr/out-CliQr-Prod-L3Out/instP-CliQr-Prod-L3Out-EPG/rscustQosPol]/mod-4294967308","id":"4294967308","ind":"creation","modTs":"never","severity":"info","status":"","trig":"config","txId":
    "7493989779944505526","user":"admin"}}

    Previous
    Next