Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

Cisco Intrusion Prevention System

Cisco Intrusion Prevention System

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
SNMP Performance and Availability Monitoring
SDEE Alerts Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "cisco ips" in the Search... field to see the event types associated with this device.

Rules

In RESOURCES > Rules, search for "cisco ips" in the main content panel Search... field to see the rules associated with this device.

Reports

In RESOURCES > Reports, search for "cisco ips" in the main content panel Search... field to see the reports associated with this device.

Configuration

SNMP
  1. Log in to the device manager for your Cisco IPS.
  2. Go to Configuration > Allowed Hosts/Networks.
  3. Click Add.
  4. Enter the IP address of your FortiSIEM virtual appliance to add it to the access control list, and then click OK.
  5. Go to Configuration > Sensor Management > SNMP > General Configuration.
  6. For Read-Only Community String, enter public.
  7. For Sensor Contact and Sensor Location, enter Unknown.
  8. For Sensor Agent Port, enter 161.
  9. For Sensor Agent Protocol, select udp.

If you must create an SDEE account for FortiSIEM to use, go to Configuration > Users and Add a new administrator.

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Cisco IPS
Access Protocol Cisco SDEE
Pull Interval 5 minutes
Port 443
Password config See Password Configuration
SNMP Access Credentials for All Devices

Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.

Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>

Sample XML-Formatted Alert

<\!-\- CISCO IPS \--><evAlert eventId="1203541079317487802" severity="low"> <originator> <hostId>MainFW-IPS</hostId> <appName>sensorApp</appName> <appInstanceId>376</appInstanceId> </originator> <time offset="0" timeZone="UTC">1204938398491122000</time> <signature sigName="ICMP Network Sweep w/Echo" sigId="2100" subSigId="0" version="S2"></signature> <interfaceGroup>vs1</interfaceGroup><vlan>0</vlan> <participants> <attack> <attacker> <addr locality="OUT">2.2.2.1</addr> </attacker> <victim> <addr locality="OUT">171.64.10.225</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.87</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.86</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.84</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.85</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.82</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> </attack> </participants> <alertDetails>InterfaceAttributes: context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" </alertDetails></evAlert>

Cisco Intrusion Prevention System

Cisco Intrusion Prevention System

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
SNMP Performance and Availability Monitoring
SDEE Alerts Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "cisco ips" in the Search... field to see the event types associated with this device.

Rules

In RESOURCES > Rules, search for "cisco ips" in the main content panel Search... field to see the rules associated with this device.

Reports

In RESOURCES > Reports, search for "cisco ips" in the main content panel Search... field to see the reports associated with this device.

Configuration

SNMP
  1. Log in to the device manager for your Cisco IPS.
  2. Go to Configuration > Allowed Hosts/Networks.
  3. Click Add.
  4. Enter the IP address of your FortiSIEM virtual appliance to add it to the access control list, and then click OK.
  5. Go to Configuration > Sensor Management > SNMP > General Configuration.
  6. For Read-Only Community String, enter public.
  7. For Sensor Contact and Sensor Location, enter Unknown.
  8. For Sensor Agent Port, enter 161.
  9. For Sensor Agent Protocol, select udp.

If you must create an SDEE account for FortiSIEM to use, go to Configuration > Users and Add a new administrator.

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Cisco IPS
Access Protocol Cisco SDEE
Pull Interval 5 minutes
Port 443
Password config See Password Configuration
SNMP Access Credentials for All Devices

Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.

Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>

Sample XML-Formatted Alert

<\!-\- CISCO IPS \--><evAlert eventId="1203541079317487802" severity="low"> <originator> <hostId>MainFW-IPS</hostId> <appName>sensorApp</appName> <appInstanceId>376</appInstanceId> </originator> <time offset="0" timeZone="UTC">1204938398491122000</time> <signature sigName="ICMP Network Sweep w/Echo" sigId="2100" subSigId="0" version="S2"></signature> <interfaceGroup>vs1</interfaceGroup><vlan>0</vlan> <participants> <attack> <attacker> <addr locality="OUT">2.2.2.1</addr> </attacker> <victim> <addr locality="OUT">171.64.10.225</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.87</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.86</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.84</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.85</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.82</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> </attack> </participants> <alertDetails>InterfaceAttributes: context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" </alertDetails></evAlert>