Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Vasco DigiPass

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

Syslog

Successful and Failed Authentications, Successful and Failed administrative logons

Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event, search for "Vasco DigiPass" in the Device Type column to see the event types associated with this device. Some important ones are:

  • Vasco-DigiPass-KeyServer-AdminLogon-Success
  • Vasco-DigiPass-KeyServer-UserAuth-Success
  • Vasco-DigiPass-KeyServer-UserAuth-Failed
  • Vasco-DigiPass-KeyServer-AccountLocked
  • Vasco-DigiPass-KeyServer-AccountUnlocked

Configuration

Configure the Vasco DigiPass management Console to send syslog to FortiSIEM. FortiSIEM is going to parse the logs automatically. Make sure the syslog format is as follows.

May 16 18:21:50 vascoservername ikeyserver[3575]: {Success}, {Administration}, {S-001003}, {A command of type [User] [Unlock] was successful.}, {0xA46B6230BA60B240CE48011B0C30D393}, {Source Location:10.1.2.3}, {Client Location:10.1.2.3}, {User ID:flast}, {Domain:company.com}, {Input Details: {User ID : flast} {Domain Name : company.com}}, {Output Details: {User ID : flast} {Password : ********} {Created Time : 2013/05/13 19:06:52} {Modified Time : 2013/05/16 18:21:49} {Has Digipass : Unassigned} {Status : 0} {Domain Name : company.com} {Local Authentication : Default} {Back-end Authentication : Default} {Disabled : no} {Lock Count : 0} {Locked : no} {Last Password Set Time : 2013/05/13 19:06:52} {Static Password History : d0NdVMhSdvdNEQJkkKTWmiq8iB4K1dWreMf5FQlZM7U=} {Key ID : SSMINSTALLSENSITIVEKEY}}, {Object:User}, {Command:Unlock}, {Client Type:Administration Program}

May 15 20:27:35 vascoservername ikeyserver[3575]: {Success}, {Administration}, {S-004001}, {An administrative logon was successful.}, {0x25AB20F3222F554A96CFFD2886AE4C71}, {Source Location:10.1.2.3}, {Client Location:10.1.2.3}, {User ID:admin}, {Domain:company.com}, {Client Type:Administration Program}

May 17 18:43:22 vascoservername ikeyserver[3582]: {Info}, {Initialization}, {I-002010}, {The SOAP protocol handler has been initialized successfully.}, {0x0E736D24D54E717E6F5DA6C09E89F8EE}, {Version:3.4.7.115}, {Configuration Details:IP-Address: 10.1.2.3, IP-Port: 8888, Supported-Cipher-Suite: HIGH, Server-Certificate: /var/identikey/conf/certs/soap-custom.pem, Private-Key-Password: ********, CA-Certificate-Store: /var/identikey/conf/certs/soap-ca-certificate-store.pem, Client-Authentication-Method: none, Reverify-Client-On-Reconnect: False, DPX-Upload-Location: /var/dpx/}

Vasco DigiPass

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

Syslog

Successful and Failed Authentications, Successful and Failed administrative logons

Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event, search for "Vasco DigiPass" in the Device Type column to see the event types associated with this device. Some important ones are:

  • Vasco-DigiPass-KeyServer-AdminLogon-Success
  • Vasco-DigiPass-KeyServer-UserAuth-Success
  • Vasco-DigiPass-KeyServer-UserAuth-Failed
  • Vasco-DigiPass-KeyServer-AccountLocked
  • Vasco-DigiPass-KeyServer-AccountUnlocked

Configuration

Configure the Vasco DigiPass management Console to send syslog to FortiSIEM. FortiSIEM is going to parse the logs automatically. Make sure the syslog format is as follows.

May 16 18:21:50 vascoservername ikeyserver[3575]: {Success}, {Administration}, {S-001003}, {A command of type [User] [Unlock] was successful.}, {0xA46B6230BA60B240CE48011B0C30D393}, {Source Location:10.1.2.3}, {Client Location:10.1.2.3}, {User ID:flast}, {Domain:company.com}, {Input Details: {User ID : flast} {Domain Name : company.com}}, {Output Details: {User ID : flast} {Password : ********} {Created Time : 2013/05/13 19:06:52} {Modified Time : 2013/05/16 18:21:49} {Has Digipass : Unassigned} {Status : 0} {Domain Name : company.com} {Local Authentication : Default} {Back-end Authentication : Default} {Disabled : no} {Lock Count : 0} {Locked : no} {Last Password Set Time : 2013/05/13 19:06:52} {Static Password History : d0NdVMhSdvdNEQJkkKTWmiq8iB4K1dWreMf5FQlZM7U=} {Key ID : SSMINSTALLSENSITIVEKEY}}, {Object:User}, {Command:Unlock}, {Client Type:Administration Program}

May 15 20:27:35 vascoservername ikeyserver[3575]: {Success}, {Administration}, {S-004001}, {An administrative logon was successful.}, {0x25AB20F3222F554A96CFFD2886AE4C71}, {Source Location:10.1.2.3}, {Client Location:10.1.2.3}, {User ID:admin}, {Domain:company.com}, {Client Type:Administration Program}

May 17 18:43:22 vascoservername ikeyserver[3582]: {Info}, {Initialization}, {I-002010}, {The SOAP protocol handler has been initialized successfully.}, {0x0E736D24D54E717E6F5DA6C09E89F8EE}, {Version:3.4.7.115}, {Configuration Details:IP-Address: 10.1.2.3, IP-Port: 8888, Supported-Cipher-Suite: HIGH, Server-Certificate: /var/identikey/conf/certs/soap-custom.pem, Private-Key-Password: ********, CA-Certificate-Store: /var/identikey/conf/certs/soap-ca-certificate-store.pem, Client-Authentication-Method: none, Reverify-Client-On-Reconnect: False, DPX-Upload-Location: /var/dpx/}