Fortinet black logo

External Systems Configuration Guide

Cisco Application Centric Infrastructure (ACI)

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Cisco APIC API (REST) Overall Health, Tenant Health, Node Health, Cluster Health, Application Health, EPG health, Fault Record, Event record, Log Record, Configuration Change Availability and Performance Monitoring

Event Types

Go to ADMIN > Device Support > Event and search for "Cisco_ACI".

Rules

Go to RESOURCE > Rules and search for "Cisco ACI".

Reports

Go to RESOURCE > Reports and search for "Cisco ACI".

Configuration

Cisco ACI Configuration

Please configure Cisco ACI Appliance so that FortiSIEM can access it via APIC API.

FortiSIEM Configuration

  1. Go to ADMIN > Setup > Credentials
  2. In Step 1: Enter Credentials, click New and create a credential.

    SettingsDescription
    NameEnter a name for the credential.
    Device TypeCISCO CISCO ACI
    Access ProtocolCisco APIC API
    Pull Interval5 minutes
    Port443
    Password configSee Password Configuration
    User NameUser name for device access
    PasswordPassword for the various REST APIs
    DescriptionPassword for the various REST APIs
  3. In Step 2: Enter IP Range to Credential Associations click New and create the association.
    1. IP - specify the IP address of the ACI Controller
    2. Credential - specify the Name as in 2a
  4. Test Connectivity - Run Test Connectivity with or without ping and make sure the test succeeds
  5. Check Pull Events tab to make sure that a event pulling entry is created

Sample Events

Overall Health Event
[Cisco_ACI_Overall_Health]: {"attributes":{"childAction":"","cnt":"29","dn":"topology/HDfabricOverallHealth5min0","healthAvg":"82","healthMax":"89",
"healthMin":"0","healthSpct":"0","healthThr":"","healthTr":"1","index":"0","lastCollOffset":"290","repIntvEnd":"2016-09-05T08:13:53.232+00:00","repIntvStart":"2016-09-05T08:09:03.128+00:00","status":""}}
Tenant Health Event
[Cisco_ACI_Tenant_Health]: {"attributes":{"childAction":"","descr":"","dn":"uni/tn-CliQr","lcOwn":"local","modTs":"2016-09-05T07:56:27.164+00:00","monPolDn":"uni/tn-common/monepg-default","name":"CliQr","ownerKey":"","ownerTag":"","status":"","uid":"15374"},"children":[{"healthInst":{"attributes":{"childAction":"","chng":"0","cur":"100","maxSev":"cleared","prev":"100","rn":"health","status":"",
"twScore":"100","updTs":"2016-09-05T08:27:03.584+00:00"}}}]
Nodes Health Event
[Cisco_ACI_Node_Health]: {"attributes":{"address":"10.0.208.95","childAction":"","configIssues":"","currentTime":"2016-09-05T08:15:51.794+00:00","dn":"topology/pod-1/node-101/sys","fabricId":"1","fabricMAC":"00:22:BD:F8:19:FF","id":"101","inbMgmtAddr":"0.0.0.0",
"inbMgmtAddr6":"0.0.0.0","lcOwn":"local","modTs":"2016-09-05T07:57:29.435+00:00",
"mode":"unspecified","monPolDn":"uni/fabric/monfab-default","name":"Leaf1","oobMgmtAddr":"0.0.0.0","oobMgmtAddr6":"0.0.0.0","podId":"1","role"
:"leaf","serial":"TEP-1-101","state":"in-service","status":"","systemUpTime":"00:00:27:05.000"},"children":[{"healthInst":{"attributes":{"childAction":"","chng":"-10","cur":"90","maxSev":"cleared","prev":"100","rn":"health","status":"","twScore":"90","updTs":"2016-09-05T07:50:08.415+00:00"}}}]
Cluster Health Event
[Cisco_ACI_Cluster_Health]: {"attributes":{"addr":"10.0.0.1","adminSt":"in-service","chassis":"10220833-ea00-3bb3-93b2-ef1e7e645889","childAction":"","cntrlSbstState":"approved","dn":"topology/pod-1/node-1/av/node-1","health":"fully-fit","id":"1","lcOwn":"local","mbSn":"TEP-1-1","modTs":"2016-09-05T08:00:46.797+00:00","monPolDn":"","mutnTs":"2016-09-05T07:50:19.570+00:00","name":"","nodeName":"apic1","operSt":"available","status":"","uid":"0"}
Application Health Event
[Cisco_ACI_Application_Health]: {"attributes":{"childAction":"","descr":"","dn":"uni/tn-infra/ap-access","lcOwn":"local","modTs":"2016-09-07T08:17:20.503+00:00","monPolDn":"uni/tn-common/monepg-default","name":"access","ownerKey":"","ownerTag":"","prio":"unspecified","status":"","uid":"0"},
"children":[{"healthInst":{"attributes":{"childAction":"","chng":"0","cur":"100","maxSev":"cleared","prev":"100","rn":"health","status":"","twScore":
"100","updTs":"2016-09-07T08:39:35.531+00:00"}}}]}
EPG Health Event
[Cisco_ACI_EPG_Health]: {"attributes":{"childAction":"","configIssues":"","configSt":"applied","descr":"","dn":"uni/tn-infra/ap-access/epg-default","isAttrBasedEPg":"no","lcOwn":"local","matchT":"AtleastOne","modTs":"2016-09-07T08:17:20.503+00:00","monPolDn":"uni/tn-common/monepg-default","name":"default","pcEnfPref":"unenforced","pcTag":"16386","prio":"unspecified",
"scope":"16777199","status":"","triggerSt":"triggerable","txId":"5764607523034234882","uid":"0"},"children":[{"healthInst":{"attributes":{"childAction":"","chng":"0","cur":"100","maxSev":"cleared","prev":"100","rn":"health","status":"",
"twScore":"100","updTs":"2016-09-07T08:39:35.549+00:00"}}}]
Fault Record Event
[Cisco_ACI_Fault_Record]: ,"created":"2016-09-05T08:00:41.313+00:00","delegated":"no","delegatedFrom":"","descr":
"Controller3isunhealthybecause:DataLayerPartiallyDegradedLeadership","dn":"subj-[topology/pod-1/node-1/av/node-3]/fr-4294967583","domain":"infra","highestSeverity":"critical","id":"4294967583","ind":"modification",
"lc":"soaking","modTs":"never","occur":"1","origSeverity":"critical","prevSeverity":"critical",
"rule":"infra-wi-node-health","severity":"critical","status":"","subject":"controller","type":"operational"}
Event Record Event
[Cisco_ACI_Event_Record]: {"attributes":{"affected":"topology/pod-1/node-2/lon/svc-ifc_dhcpd","cause":"state-change","changeSet":"id:ifc_dhcpd,leCnnct:undefined,leNonOptCnt:undefined,leNotCnnct:undefined,name:ifc_dhcpd","childAction":"","code":"E4204979","created":"2016-09-05T07:57:37.024+00:00","descr":"Allshardsofserviceifc_dhcpdhaveconnectivitytotheleaderreplicaintheCluster.","dn":"subj-[topology/pod-1/node-2/lon/svc-ifc_dhcpd]/rec-8589934722","id":"8589934722","ind":"state-transition","modTs":"never","severity":"info","status":"","trig":"oper","txId":
"18374686479671623682","user":"internal"}
Log Record Event
[Cisco_ACI_Log_Record]: {"attributes":{"affected":"uni/userext/user-admin","cause":"unknown","changeSet":"","childAction":"","clientTag":"","code":"generic","created"
:"2016-09-05T07:56:25.825+00:00","descr":"From-198.18.134.150-client-type-REST-
Success","dn":"subj-[uni/userext/user-admin]/sess-4294967297","id":"4294967297","ind":"special","modTs":"never","severity":"info","status":"","systemId":"1","trig":
"login,session","txId":"0","user":"admin"}
Configuration Change Event
[Cisco_ACI_Configuration_Chang]: {"attributes":{"affected":"uni/tn-CliQr/out-CliQr-Prod-L3Out/instP-CliQr-Prod-L3Out-EPG/rscustQosPol","cause":"transition","changeSet":"","childAction":"","clientTag":"","code":"E4206266",
"created":"2016-09-05T07:56:27.099+00:00","descr":"RsCustQosPolcreated","dn":"subj-[uni/tn-CliQr/out-CliQr-Prod-L3Out/instP-CliQr-Prod-L3Out-EPG/rscustQosPol]/mod-4294967308","id":"4294967308","ind":"creation","modTs":"never","severity":"info","status":"","trig":"config","txId":
"7493989779944505526","user":"admin"}}

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Cisco APIC API (REST) Overall Health, Tenant Health, Node Health, Cluster Health, Application Health, EPG health, Fault Record, Event record, Log Record, Configuration Change Availability and Performance Monitoring

Event Types

Go to ADMIN > Device Support > Event and search for "Cisco_ACI".

Rules

Go to RESOURCE > Rules and search for "Cisco ACI".

Reports

Go to RESOURCE > Reports and search for "Cisco ACI".

Configuration

Cisco ACI Configuration

Please configure Cisco ACI Appliance so that FortiSIEM can access it via APIC API.

FortiSIEM Configuration

  1. Go to ADMIN > Setup > Credentials
  2. In Step 1: Enter Credentials, click New and create a credential.

    SettingsDescription
    NameEnter a name for the credential.
    Device TypeCISCO CISCO ACI
    Access ProtocolCisco APIC API
    Pull Interval5 minutes
    Port443
    Password configSee Password Configuration
    User NameUser name for device access
    PasswordPassword for the various REST APIs
    DescriptionPassword for the various REST APIs
  3. In Step 2: Enter IP Range to Credential Associations click New and create the association.
    1. IP - specify the IP address of the ACI Controller
    2. Credential - specify the Name as in 2a
  4. Test Connectivity - Run Test Connectivity with or without ping and make sure the test succeeds
  5. Check Pull Events tab to make sure that a event pulling entry is created

Sample Events

Overall Health Event
[Cisco_ACI_Overall_Health]: {"attributes":{"childAction":"","cnt":"29","dn":"topology/HDfabricOverallHealth5min0","healthAvg":"82","healthMax":"89",
"healthMin":"0","healthSpct":"0","healthThr":"","healthTr":"1","index":"0","lastCollOffset":"290","repIntvEnd":"2016-09-05T08:13:53.232+00:00","repIntvStart":"2016-09-05T08:09:03.128+00:00","status":""}}
Tenant Health Event
[Cisco_ACI_Tenant_Health]: {"attributes":{"childAction":"","descr":"","dn":"uni/tn-CliQr","lcOwn":"local","modTs":"2016-09-05T07:56:27.164+00:00","monPolDn":"uni/tn-common/monepg-default","name":"CliQr","ownerKey":"","ownerTag":"","status":"","uid":"15374"},"children":[{"healthInst":{"attributes":{"childAction":"","chng":"0","cur":"100","maxSev":"cleared","prev":"100","rn":"health","status":"",
"twScore":"100","updTs":"2016-09-05T08:27:03.584+00:00"}}}]
Nodes Health Event
[Cisco_ACI_Node_Health]: {"attributes":{"address":"10.0.208.95","childAction":"","configIssues":"","currentTime":"2016-09-05T08:15:51.794+00:00","dn":"topology/pod-1/node-101/sys","fabricId":"1","fabricMAC":"00:22:BD:F8:19:FF","id":"101","inbMgmtAddr":"0.0.0.0",
"inbMgmtAddr6":"0.0.0.0","lcOwn":"local","modTs":"2016-09-05T07:57:29.435+00:00",
"mode":"unspecified","monPolDn":"uni/fabric/monfab-default","name":"Leaf1","oobMgmtAddr":"0.0.0.0","oobMgmtAddr6":"0.0.0.0","podId":"1","role"
:"leaf","serial":"TEP-1-101","state":"in-service","status":"","systemUpTime":"00:00:27:05.000"},"children":[{"healthInst":{"attributes":{"childAction":"","chng":"-10","cur":"90","maxSev":"cleared","prev":"100","rn":"health","status":"","twScore":"90","updTs":"2016-09-05T07:50:08.415+00:00"}}}]
Cluster Health Event
[Cisco_ACI_Cluster_Health]: {"attributes":{"addr":"10.0.0.1","adminSt":"in-service","chassis":"10220833-ea00-3bb3-93b2-ef1e7e645889","childAction":"","cntrlSbstState":"approved","dn":"topology/pod-1/node-1/av/node-1","health":"fully-fit","id":"1","lcOwn":"local","mbSn":"TEP-1-1","modTs":"2016-09-05T08:00:46.797+00:00","monPolDn":"","mutnTs":"2016-09-05T07:50:19.570+00:00","name":"","nodeName":"apic1","operSt":"available","status":"","uid":"0"}
Application Health Event
[Cisco_ACI_Application_Health]: {"attributes":{"childAction":"","descr":"","dn":"uni/tn-infra/ap-access","lcOwn":"local","modTs":"2016-09-07T08:17:20.503+00:00","monPolDn":"uni/tn-common/monepg-default","name":"access","ownerKey":"","ownerTag":"","prio":"unspecified","status":"","uid":"0"},
"children":[{"healthInst":{"attributes":{"childAction":"","chng":"0","cur":"100","maxSev":"cleared","prev":"100","rn":"health","status":"","twScore":
"100","updTs":"2016-09-07T08:39:35.531+00:00"}}}]}
EPG Health Event
[Cisco_ACI_EPG_Health]: {"attributes":{"childAction":"","configIssues":"","configSt":"applied","descr":"","dn":"uni/tn-infra/ap-access/epg-default","isAttrBasedEPg":"no","lcOwn":"local","matchT":"AtleastOne","modTs":"2016-09-07T08:17:20.503+00:00","monPolDn":"uni/tn-common/monepg-default","name":"default","pcEnfPref":"unenforced","pcTag":"16386","prio":"unspecified",
"scope":"16777199","status":"","triggerSt":"triggerable","txId":"5764607523034234882","uid":"0"},"children":[{"healthInst":{"attributes":{"childAction":"","chng":"0","cur":"100","maxSev":"cleared","prev":"100","rn":"health","status":"",
"twScore":"100","updTs":"2016-09-07T08:39:35.549+00:00"}}}]
Fault Record Event
[Cisco_ACI_Fault_Record]: ,"created":"2016-09-05T08:00:41.313+00:00","delegated":"no","delegatedFrom":"","descr":
"Controller3isunhealthybecause:DataLayerPartiallyDegradedLeadership","dn":"subj-[topology/pod-1/node-1/av/node-3]/fr-4294967583","domain":"infra","highestSeverity":"critical","id":"4294967583","ind":"modification",
"lc":"soaking","modTs":"never","occur":"1","origSeverity":"critical","prevSeverity":"critical",
"rule":"infra-wi-node-health","severity":"critical","status":"","subject":"controller","type":"operational"}
Event Record Event
[Cisco_ACI_Event_Record]: {"attributes":{"affected":"topology/pod-1/node-2/lon/svc-ifc_dhcpd","cause":"state-change","changeSet":"id:ifc_dhcpd,leCnnct:undefined,leNonOptCnt:undefined,leNotCnnct:undefined,name:ifc_dhcpd","childAction":"","code":"E4204979","created":"2016-09-05T07:57:37.024+00:00","descr":"Allshardsofserviceifc_dhcpdhaveconnectivitytotheleaderreplicaintheCluster.","dn":"subj-[topology/pod-1/node-2/lon/svc-ifc_dhcpd]/rec-8589934722","id":"8589934722","ind":"state-transition","modTs":"never","severity":"info","status":"","trig":"oper","txId":
"18374686479671623682","user":"internal"}
Log Record Event
[Cisco_ACI_Log_Record]: {"attributes":{"affected":"uni/userext/user-admin","cause":"unknown","changeSet":"","childAction":"","clientTag":"","code":"generic","created"
:"2016-09-05T07:56:25.825+00:00","descr":"From-198.18.134.150-client-type-REST-
Success","dn":"subj-[uni/userext/user-admin]/sess-4294967297","id":"4294967297","ind":"special","modTs":"never","severity":"info","status":"","systemId":"1","trig":
"login,session","txId":"0","user":"admin"}
Configuration Change Event
[Cisco_ACI_Configuration_Chang]: {"attributes":{"affected":"uni/tn-CliQr/out-CliQr-Prod-L3Out/instP-CliQr-Prod-L3Out-EPG/rscustQosPol","cause":"transition","changeSet":"","childAction":"","clientTag":"","code":"E4206266",
"created":"2016-09-05T07:56:27.099+00:00","descr":"RsCustQosPolcreated","dn":"subj-[uni/tn-CliQr/out-CliQr-Prod-L3Out/instP-CliQr-Prod-L3Out-EPG/rscustQosPol]/mod-4294967308","id":"4294967308","ind":"creation","modTs":"never","severity":"info","status":"","trig":"config","txId":
"7493989779944505526","user":"admin"}}