Fortinet black logo

External Systems Configuration Guide

FortiClient

FortiClient

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog via FortiAnalyzer (FortiClient > FortiAnalyzer -> FortiSIEM) Traffic logs (IPSec, VPN, File Cleaning/Blocking) Event logs (Antivirus, Web Filter, Vulnerability Scan, Application Firewall, VPN, WAN Optimization, Update logs) Security Monitoring and Log analysis

Note: FortiSIEM collects logs from FortiAnalyzer (FAZ).

Event Types

Search for 'FortiClient' to see the event types associated with this device under RESOURCES > Event Types.

Rules

There are generic rules that trigger for this device as event types are mapped to specific event type groups.

Reports

Generic reports are written for this device as event types are mapped to specific event type groups.

Configuration

  1. Configure FortiClient to send events to FAZ.
  2. Configure FAZ to send events to FortiSIEM:
    1. Login to FAZ.
    2. Go to System Settings > Advanced > Syslog Server.
    3. Click Create New.
    4. Enter the Name. It is recommended to use the name of the FortiSIEM Supervisor node.
    5. Set the IP address (or FQDN) field to the IP or a fully qualified name of the FortiSIEM node that would parse the log (most likely Collector or Worker/Supervisor).
    6. Retain the Syslog Server Port default value '514'.
    7. Click OK to save your entries.
    8. Go to System Settings > Dashboard > CLI Console.
    9. Type the following in the CLI Console for:
      • FAZ 5.1 and older:
        config system aggregation-client
           edit 1 (or the number for your FSM syslog entry)
           set fwd-log-source-ip original_ip
        end
      • FAZ 5.6 and newer:
        config system log-forward
          edit 1 (or the number for your FSM syslog entry)
          set fwd-log-source-ip original_ip
        end
    10. Go to System Settings > Log Forwarding.
    11. Click Create New.
    12. Enter the Name.
    13. Select 'Syslog' as Remote Server Type.
    14. Enter the Server IP with the IP of the FortiSIEM Server/Collector.
    15. Retain the Server Port default value '514'.
    16. Set Reliable Connection to the default value 'Off'.
      Note: Setting this to 'On' will make every log sent from FAZ appear with FAZ’s IP and NOT that of the firewall(s). In addition, your network must allow UDP connection between FAZ and FortiSIEM Collector. Otherwise, the logs will not reach the Collector.
    17. Optional – Use Log Forwarding Filters to select specific devices you want to forward log for.
  3. Follow the steps below to validate that logs are properly flowing from FAZ to FortiSIEM:
    1. Login to FortiSIEM.
    2. Click ANALYTICS tab and use the filter to perform a real-time search:
      1. Click on the Attribute field to select 'Reporting IP' from the list or enter the same in the field to search.
      2. Select '=' Operator.
      3. In the Value field, enter the name of the Fortinet devices from where logs are expected.
      Note: This is NOT the IP address of the FAZ but of an original source device, like a FortiGate Firewall. To ensure that everything is being sent/received correctly, you can use multiple IPs.
  4. You will now see events from one, to numerous, source device(s), even though they are all forwarded from a single FAZ device. You can also check CMDB > Devices to see whether the devices are appearing within CMDB.

    Note: The Relaying IP value in FortiSIEM will not show the IP address of the FAZ but that of the original device which sent the logs to FAZ.

    All the device logs appear within FortiSIEM without configuring numerous devices individually.

Access Credentials for FortiSIEM

Setting

Value
Name <name>
Device Type Fortinet FortiClient
Access Protocol WMI
Pull Interval 1 minute
NetBIOS/Domain The NetBIOS name of servers or domain name
Password config See Password Configuration

Sample Events

Traffic Log

<116> device=FCTEMS0000000001 severity=medium from=FAZVM64(FAZ-VM0000000001) trigger=EVT2SIEM log="itime=1489562233 date=2017-03-15 time=00:17:13 logver=2 type=traffic sessionid=N/A hostname=hostname.local uid=1000000000 devid=FCT8000000000008 fgtserial=FCTEMS0000000005 level=warning regip=10.1.1.1 srcname="Opera" srcproduct=N/A srcip=10.1.1.3 srcport=18398 direction=outbound dstip=10.0.0.4 remotename="aa.com" dstport=20480 user="bb.lee" service=http proto=6 rcvdbyte=N/A sentbyte=N/A utmaction=blocked utmevent=webfilter threat="Gambling" vd=root fctver=1.2.1.1 os="Mac OS X 1.1.1" usingpolicy=N/A url=/ userinitiated=0 browsetime=N/A" ET---> FortiClient-traffic-blocked

Event Log

<116> device=FCTEMS0036759495 severity=medium from=FAZVM64(FAZ-VM0000000001) trigger=EVT2SIEM1 log="itime=1490237155 date=2017-03-22 time=19:45:55 logver=2 level=info uid=C4C4E56CE7B04762B053E8F88B8ECF47 vd=root fctver=5.4.2.0862 os="Microsoft Windows Server 2012 R2 Standard Edition, 64-bit (build 9600)" usingpolicy=AOFCT fgtserial=N/A emsserial=FCTEMS0036759495 devid=FCT8003883203338 hostname=sjcitvwfct01 pcdomain=accelops.net clientfeature=endpoint deviceip=devicemac=N/A type=event user=N/A id=96953 msg="Endpoint Control Status changed - Offline""

FortiClient

FortiClient

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog via FortiAnalyzer (FortiClient > FortiAnalyzer -> FortiSIEM) Traffic logs (IPSec, VPN, File Cleaning/Blocking) Event logs (Antivirus, Web Filter, Vulnerability Scan, Application Firewall, VPN, WAN Optimization, Update logs) Security Monitoring and Log analysis

Note: FortiSIEM collects logs from FortiAnalyzer (FAZ).

Event Types

Search for 'FortiClient' to see the event types associated with this device under RESOURCES > Event Types.

Rules

There are generic rules that trigger for this device as event types are mapped to specific event type groups.

Reports

Generic reports are written for this device as event types are mapped to specific event type groups.

Configuration

  1. Configure FortiClient to send events to FAZ.
  2. Configure FAZ to send events to FortiSIEM:
    1. Login to FAZ.
    2. Go to System Settings > Advanced > Syslog Server.
    3. Click Create New.
    4. Enter the Name. It is recommended to use the name of the FortiSIEM Supervisor node.
    5. Set the IP address (or FQDN) field to the IP or a fully qualified name of the FortiSIEM node that would parse the log (most likely Collector or Worker/Supervisor).
    6. Retain the Syslog Server Port default value '514'.
    7. Click OK to save your entries.
    8. Go to System Settings > Dashboard > CLI Console.
    9. Type the following in the CLI Console for:
      • FAZ 5.1 and older:
        config system aggregation-client
           edit 1 (or the number for your FSM syslog entry)
           set fwd-log-source-ip original_ip
        end
      • FAZ 5.6 and newer:
        config system log-forward
          edit 1 (or the number for your FSM syslog entry)
          set fwd-log-source-ip original_ip
        end
    10. Go to System Settings > Log Forwarding.
    11. Click Create New.
    12. Enter the Name.
    13. Select 'Syslog' as Remote Server Type.
    14. Enter the Server IP with the IP of the FortiSIEM Server/Collector.
    15. Retain the Server Port default value '514'.
    16. Set Reliable Connection to the default value 'Off'.
      Note: Setting this to 'On' will make every log sent from FAZ appear with FAZ’s IP and NOT that of the firewall(s). In addition, your network must allow UDP connection between FAZ and FortiSIEM Collector. Otherwise, the logs will not reach the Collector.
    17. Optional – Use Log Forwarding Filters to select specific devices you want to forward log for.
  3. Follow the steps below to validate that logs are properly flowing from FAZ to FortiSIEM:
    1. Login to FortiSIEM.
    2. Click ANALYTICS tab and use the filter to perform a real-time search:
      1. Click on the Attribute field to select 'Reporting IP' from the list or enter the same in the field to search.
      2. Select '=' Operator.
      3. In the Value field, enter the name of the Fortinet devices from where logs are expected.
      Note: This is NOT the IP address of the FAZ but of an original source device, like a FortiGate Firewall. To ensure that everything is being sent/received correctly, you can use multiple IPs.
  4. You will now see events from one, to numerous, source device(s), even though they are all forwarded from a single FAZ device. You can also check CMDB > Devices to see whether the devices are appearing within CMDB.

    Note: The Relaying IP value in FortiSIEM will not show the IP address of the FAZ but that of the original device which sent the logs to FAZ.

    All the device logs appear within FortiSIEM without configuring numerous devices individually.

Access Credentials for FortiSIEM

Setting

Value
Name <name>
Device Type Fortinet FortiClient
Access Protocol WMI
Pull Interval 1 minute
NetBIOS/Domain The NetBIOS name of servers or domain name
Password config See Password Configuration

Sample Events

Traffic Log

<116> device=FCTEMS0000000001 severity=medium from=FAZVM64(FAZ-VM0000000001) trigger=EVT2SIEM log="itime=1489562233 date=2017-03-15 time=00:17:13 logver=2 type=traffic sessionid=N/A hostname=hostname.local uid=1000000000 devid=FCT8000000000008 fgtserial=FCTEMS0000000005 level=warning regip=10.1.1.1 srcname="Opera" srcproduct=N/A srcip=10.1.1.3 srcport=18398 direction=outbound dstip=10.0.0.4 remotename="aa.com" dstport=20480 user="bb.lee" service=http proto=6 rcvdbyte=N/A sentbyte=N/A utmaction=blocked utmevent=webfilter threat="Gambling" vd=root fctver=1.2.1.1 os="Mac OS X 1.1.1" usingpolicy=N/A url=/ userinitiated=0 browsetime=N/A" ET---> FortiClient-traffic-blocked

Event Log

<116> device=FCTEMS0036759495 severity=medium from=FAZVM64(FAZ-VM0000000001) trigger=EVT2SIEM1 log="itime=1490237155 date=2017-03-22 time=19:45:55 logver=2 level=info uid=C4C4E56CE7B04762B053E8F88B8ECF47 vd=root fctver=5.4.2.0862 os="Microsoft Windows Server 2012 R2 Standard Edition, 64-bit (build 9600)" usingpolicy=AOFCT fgtserial=N/A emsserial=FCTEMS0036759495 devid=FCT8003883203338 hostname=sjcitvwfct01 pcdomain=accelops.net clientfeature=endpoint deviceip=devicemac=N/A type=event user=N/A id=96953 msg="Endpoint Control Status changed - Offline""