Fortinet black logo

External Systems Configuration Guide

Qualys Web Application Firewall

Qualys Web Application Firewall

What is Discovered and Monitored

Protocol

Information discovered

Metrics/Logs collected

Used for

Syslog Permitted and Denied Web traffic Log analysis and compliance

Event Types

The following event types are generated by parsing Qualys Web Application Firewall traffic logs and analyzing the HTTP error code.

  • Qualys-WAF-Web-Request-Success

  • Qualys-WAF-Web-Bad-Request

  • Qualys-WAF-Web-Client-Access-Denied

  • Qualys-WAF-Web-Client-Error

  • Qualys-WAF-Web-Forbidden-Access-Denied

  • Qualys-WAF-Web-Length-Reqd-Access-Denied

  • Qualys-WAF-Web-Request

  • Qualys-WAF-Web-Request-Redirect

  • Qualys-WAF-Web-Server-Error

Rules

There are no predefined rules for this device.

Reports

Relevant reports are defined in RESOURCE > Reports > Device > Network > Web Gateway.

Configuration

FortiSIEM processes events from this device via syslog sent in JSON format. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Qualys Web Application Firewall
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration

Example Syslog

Note that each JSON formatted syslog contains many logs.

<1350>1 2015-05-15T12:57:30.945000+00:00 localhost qualys_waf - QUALYS_WAF - {"timestamp":"2015-05-15T12:57:30.945-00:00","duration":6011,"id":"487c116c-4908-4ce3-b05c-eda5d5bb7045","clientIp":"172.27.80.170","clientPort":9073,"sensorId":"d3acc41f-d1fc-43be-af71-e7e10e9e66e2","siteId":"41db0970-8413-4648-b7e2-c50ed53cf355","connection":{"id":"bc1379fe-317e-4bae-ae30-2a382e310170","clientIp":"172.27.80.170","clientPort":9073,"serverIp":"192.168.60.203","serverPort"
:443},"request":{"method":"POST","uri":"/","protocol":"HTTP/1.1","host":"esers-test.foo.org","bandwidth":0,"headers":[{"name":"Content-Length","value":"645"},{"name":"Accept","value":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;
q=0.8"},{"name":"User-Agent","value":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36"},{"name":"Content-Type","value":"application/x-www-form-urlencoded"},{"name":"Referer","value":"https://esers-test.ohsers.org/"},{"name":"Accept-Encoding","value":"gzip, deflate"},{"name":"Accept-Language","value":"en-US,en;q=0.8"}],"headerOrder":"HILCAUTRELO"},"response":{"protocol":"HTTP/1.1","status":"200","message":"OK","bandwidth":0,"headers":[{"name":"Content-Type","value":"text/html; charset=utf-8"},{"name":"Server","value":"Microsoft-IIS/8.5"},{"name":"Content-Length","value":"10735"}],"headerOrder":"CTXSDL"},"security":{"auditLogRef":"b02f96e9-2649-4a83-9459-6a02da1a5f05","threatLevel":60,"events":[{"tags":["qid/226015","cat/XPATHi","cat/SQLi","qid/150003","loc/req/body/txtUserId","cfg/pol/applicationSecurity"],
"type":"Alert","rule":"main/qrs/sqli/xpathi/condition_escaping/boolean/confidence_high/3","message":"Condition escaping detected (SQL or XPATH injection) - txtUserId.","confidence":80,"severity":60,"id":"262845566"},{"tags":["cat/correlation","qid/226016"],"type":"Observation","rule":"main/correlation/1",
"message":"Info: Threat level exceeded blocking threshold (60).","confidence":0,"severity":0,"id":"262846018"},{"tags":["cat/correlation","qid/226016"],"type":"Observation","rule":"main/correlation/1",
"message":"Info: Blocking refused as blocking mode is disabled.","confidence":0,"severity":0,"id":"262846167"},{"tags":["cat/correlation","cat/XPATHi","qid/226015"],"type":"Alert","rule":
"main/correlation/1","message":"Detected: XPATHi.","confidence":80,"severity":60,"id":"268789851"}]}}

Qualys Web Application Firewall

What is Discovered and Monitored

Protocol

Information discovered

Metrics/Logs collected

Used for

Syslog Permitted and Denied Web traffic Log analysis and compliance

Event Types

The following event types are generated by parsing Qualys Web Application Firewall traffic logs and analyzing the HTTP error code.

  • Qualys-WAF-Web-Request-Success

  • Qualys-WAF-Web-Bad-Request

  • Qualys-WAF-Web-Client-Access-Denied

  • Qualys-WAF-Web-Client-Error

  • Qualys-WAF-Web-Forbidden-Access-Denied

  • Qualys-WAF-Web-Length-Reqd-Access-Denied

  • Qualys-WAF-Web-Request

  • Qualys-WAF-Web-Request-Redirect

  • Qualys-WAF-Web-Server-Error

Rules

There are no predefined rules for this device.

Reports

Relevant reports are defined in RESOURCE > Reports > Device > Network > Web Gateway.

Configuration

FortiSIEM processes events from this device via syslog sent in JSON format. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Qualys Web Application Firewall
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration

Example Syslog

Note that each JSON formatted syslog contains many logs.

<1350>1 2015-05-15T12:57:30.945000+00:00 localhost qualys_waf - QUALYS_WAF - {"timestamp":"2015-05-15T12:57:30.945-00:00","duration":6011,"id":"487c116c-4908-4ce3-b05c-eda5d5bb7045","clientIp":"172.27.80.170","clientPort":9073,"sensorId":"d3acc41f-d1fc-43be-af71-e7e10e9e66e2","siteId":"41db0970-8413-4648-b7e2-c50ed53cf355","connection":{"id":"bc1379fe-317e-4bae-ae30-2a382e310170","clientIp":"172.27.80.170","clientPort":9073,"serverIp":"192.168.60.203","serverPort"
:443},"request":{"method":"POST","uri":"/","protocol":"HTTP/1.1","host":"esers-test.foo.org","bandwidth":0,"headers":[{"name":"Content-Length","value":"645"},{"name":"Accept","value":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;
q=0.8"},{"name":"User-Agent","value":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36"},{"name":"Content-Type","value":"application/x-www-form-urlencoded"},{"name":"Referer","value":"https://esers-test.ohsers.org/"},{"name":"Accept-Encoding","value":"gzip, deflate"},{"name":"Accept-Language","value":"en-US,en;q=0.8"}],"headerOrder":"HILCAUTRELO"},"response":{"protocol":"HTTP/1.1","status":"200","message":"OK","bandwidth":0,"headers":[{"name":"Content-Type","value":"text/html; charset=utf-8"},{"name":"Server","value":"Microsoft-IIS/8.5"},{"name":"Content-Length","value":"10735"}],"headerOrder":"CTXSDL"},"security":{"auditLogRef":"b02f96e9-2649-4a83-9459-6a02da1a5f05","threatLevel":60,"events":[{"tags":["qid/226015","cat/XPATHi","cat/SQLi","qid/150003","loc/req/body/txtUserId","cfg/pol/applicationSecurity"],
"type":"Alert","rule":"main/qrs/sqli/xpathi/condition_escaping/boolean/confidence_high/3","message":"Condition escaping detected (SQL or XPATH injection) - txtUserId.","confidence":80,"severity":60,"id":"262845566"},{"tags":["cat/correlation","qid/226016"],"type":"Observation","rule":"main/correlation/1",
"message":"Info: Threat level exceeded blocking threshold (60).","confidence":0,"severity":0,"id":"262846018"},{"tags":["cat/correlation","qid/226016"],"type":"Observation","rule":"main/correlation/1",
"message":"Info: Blocking refused as blocking mode is disabled.","confidence":0,"severity":0,"id":"262846167"},{"tags":["cat/correlation","cat/XPATHi","qid/226015"],"type":"Alert","rule":
"main/correlation/1","message":"Detected: XPATHi.","confidence":80,"severity":60,"id":"268789851"}]}}