Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Fortinet FortiMail

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog   System events (e.g. configuration changes), System up/down/restart events, Performance issues, Admin logon events, malware attachments Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event, search for "fortimail" to see the event types associated with this device.

Rules

In RESOURCE > Rules, search for "fortimail" to see the rules associated with this device.

For generic availability rules, see RESOURCE > Rules > Availability > Network.

For generic performance rules, see RESOURCE > Rules > Performance > Network.

Reports

In RESOURCE > Reports, search for "fortimail" to see the reports associated with this device.

Configuration

Syslog

Configure FortiMail appliance to send logs to FortiSIEM. Make sure the format matches.

Sample Parsed FortiMail Syslog:

date=2012-08-17 time=12:26:41 device_id=FE100C3909600504 log_id=0001001623 type=event

subtype=admin pri=information user=admin ui=GUI(172.20.120.26) action=login status=success

reason=none msg="User admin login successfully from GUI(172.20.120.26)"

date=2012-07-16 time=12:22:56 device_id=FE100C3909600504 log_id=0200001075 type=statistics

pri=information session_id="q6GJMuPu003642-q6GJMuPv003642" client_name="[172.20.140.94]"

dst_ip="172.20.140.92" endpoint="" from="user@external.lab" to="user5@external.lab"

subject=""mailer="mta" resolved="OK" direction="in" virus="" disposition="Reject"

classifier="Recipient Verification" message_length="188"

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Fortinet FortiMail
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration

Fortinet FortiMail

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog   System events (e.g. configuration changes), System up/down/restart events, Performance issues, Admin logon events, malware attachments Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event, search for "fortimail" to see the event types associated with this device.

Rules

In RESOURCE > Rules, search for "fortimail" to see the rules associated with this device.

For generic availability rules, see RESOURCE > Rules > Availability > Network.

For generic performance rules, see RESOURCE > Rules > Performance > Network.

Reports

In RESOURCE > Reports, search for "fortimail" to see the reports associated with this device.

Configuration

Syslog

Configure FortiMail appliance to send logs to FortiSIEM. Make sure the format matches.

Sample Parsed FortiMail Syslog:

date=2012-08-17 time=12:26:41 device_id=FE100C3909600504 log_id=0001001623 type=event

subtype=admin pri=information user=admin ui=GUI(172.20.120.26) action=login status=success

reason=none msg="User admin login successfully from GUI(172.20.120.26)"

date=2012-07-16 time=12:22:56 device_id=FE100C3909600504 log_id=0200001075 type=statistics

pri=information session_id="q6GJMuPu003642-q6GJMuPv003642" client_name="[172.20.140.94]"

dst_ip="172.20.140.92" endpoint="" from="user@external.lab" to="user5@external.lab"

subject=""mailer="mta" resolved="OK" direction="in" virus="" disposition="Reject"

classifier="Recipient Verification" message_length="188"

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Fortinet FortiMail
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration