DOCUMENT LIBRARY

External Systems Configuration Guide

FortiSIEM External Systems Configuration Guide Online
Change Log
TABLE OF CONTENTS
Overview
Ports Used by FortiSIEM for Discovery and Monitoring
Supported Devices and Applications by Vendor
Applications
- Application Server
- Authentication Server
- Database Server
- DHCP and DNS Server
- Directory Server
  - Microsoft Active Directory
- Document Management Server
  - Microsoft SharePoint
- Healthcare IT
  - Epic EMR/EHR System
- Mail Server
  - Microsoft Exchange
- Management Server/Appliance
  - Cisco Application Centric Infrastructure (ACI)
  - Fortinet FortiManager
- Remote Desktop
  - Citrix Receiver (ICA)
- Source Code Control
- Unified Communication Server
- Web Server
Blade Servers
- Cisco UCS Server
- HP BladeSystem
Cloud Applications
- Alicide.io KAudit
- AWS Access Key IAM Permissions and IAM Policies
- AWS CloudTrail API
- Amazon AWS EC2
- AWS EC2 CloudWatch API
- AWS Kinesis
- AWS RDS
- AWS Security Hub
- Box.com
- Google Workspace (formerly G Suite) Audit
- Microsoft Azure Audit
- Microsoft Office365 Audit
- Microsoft Cloud Add Security
- Microsoft Defender for Identity/Microsoft Azure ATP
- Microsoft Azure Compute
- Microsoft Azure Event Hub
- Okta
- Salesforce CRM Audit
Console Access Devices
- Lantronix SLC Console Manager
End Point Security Software
- Bit9 Security Platform
- Carbon Black Security Platform
- Cisco AMP for Endpoints API V0 - Previously Cisco AMP Cloud V0
- Cisco AMP for Endpoints API V1 - Previously Cisco AMP Cloud V1
- Cisco Security Agent (CSA)
- CloudPassage Halo
- Crowdstrike
- Digital Guardian CodeGreen DLP
- ESET NOD32 Anti-Virus
- FortiClient
- Fortinet FortiEDR
- Malwarebytes Breach Remediation
- MalwareBytes EndPoint Protection
- McAfee ePolicy Orchestrator (ePO)
- Microsoft Defender for Endpoint/Microsoft Windows Defender ATP
- MobileIron Sentry and Connector
- Netwrix Auditor (via Correlog Windows Agent)
- Palo Alto Traps Endpoint Security Manager
- SentinelOne
- Sophos Central
- Sophos Endpoint Security and Control
- Symantec Endpoint Protection
- Symantec SEPM
- Tanium Connect
- Trend Micro Interscan Web Filter
- Trend Micro Intrusion Defense Firewall (IDF)
- Trend Micro OfficeScan
Firewalls
- Check Point FireWall-1
- Check Point Provider-1 Firewall
- Check Point VSX Firewall
- Cisco Adaptive Security Appliance (ASA)
- Cisco Firepower Threat Defense (FTD)
- Clavister Firewall
- Cyberoam Firewall
- Dell SonicWALL Firewall
- Fortinet FortiGate Firewall
- Imperva Securesphere Web App Firewall
- Juniper Networks SSG Firewall
- McAfee Firewall Enterprise (Sidewinder)
- Palo Alto Firewall
- Sophos UTM Firewall
- Stormshield Network Security
- Tigera Calico
- WatchGuard Firebox Firewall
Load Balancers and Application Firewalls
- Brocade ServerIron ADX
- Citrix Netscaler Application Delivery Controller (ADC)
- F5 Networks Application Security Manager
- F5 Networks Local Traffic Manager
- F5 Networks Web Accelerator
- Fortinet FortiADC
- Qualys Web Application Firewall
- Zscaler Cloud Firewall
Log Aggregators
- Fortinet FortiAnalyzer
Network Compliance Management Applications
- Cisco Network Compliance Manager
- PacketFence Network Access Control (NAC) Integration
Network Intrusion Prevention Systems (IPS)
- 3COM TippingPoint UnityOne IPS
- AirTight Networks SpectraGuard
- Alert Logic IRIS API
- Cisco Firepower Management Center (FMC) - Formerly FireSIGHT and FirePower Threat Defense
- Cisco Intrusion Prevention System
- Cisco Stealthwatch
- Claroty Continuous Threat Detection Platform
- Corero Smartwall Threat Defense System
- Cylance Protect Endpoint Protection
- Cyphort Cortext Endpoint Protection
- Damballa Failsafe
- Darktrace CyberIntelligence Platform
- Dragos Platform
- FireEye Malware Protection System (MPS)
- FortiDDoS
- Fortinet FortiNAC
- Fortinet FortiDeceptor
- Fortinet FortiSandbox
- Fortinet FortiTester
- IBM Internet Security Series Proventia
- Indegny Security Platform
- Juniper DDoS Secure
- Juniper Networks IDP Series
- McAfee IntruShield
- McAfee Stonesoft IPS
- Motorola AirDefense
- Nozomi
- Radware DefensePro
- Snort Intrusion Prevention System
- Sourcefire 3D and Defense Center
- Trend Micro Deep Discovery
- Zeek (Bro) installed on Security Onion
Operational Technology
- APC Netbotz Environmental Monitor
- APC UPS
- Claroty Continuous Threat Detection (CTD) Platform
- Dragos Platform
- Generic UPS
- Hirschman SCADA Firewalls and Switches
- Liebert FPC
- Liebert HVAC
- Liebert UPS
- Nozomi
Routers and Switches
- Alcatel TiMOS and AOS Switch
- Arista Router and Switch
- Brocade NetIron CER Routers
- Cisco 300 Series Routers
- Cisco IOS Router and Switch
  - How CPU and Memory Utilization is Collected for Cisco IOS
- Cisco Meraki Cloud Controller and Network Devices
- Cisco NX-OS Router and Switch
- Cisco ONS
- Cisco Viptela SDWAN Router
- Dell Force10 Router and Switch
- Dell NSeries Switch
- Dell PowerConnect Switch and Router
- Foundry Networks IronWare Router and Switch
- HP/3Com ComWare Switch
- HP ProCurve Switch
- HP Value Series (19xx) and HP 3Com (29xx) Switch
- Hirschman SCADA Firewalls and Switches
- Juniper Networks JunOS Switch
- Mikrotek Router
- Nortel ERS and Passport Switch
Security Gateways
- Barracuda Networks Spam Firewall
- Blue Coat Web Proxy
- Cisco IronPort Mail Gateway
- Cisco IronPort Web Gateway
- Fortinet FortiMail
- Fortinet FortiWeb
- Imperva Securesphere DB Monitoring Gateway
- Imperva Securesphere Security Gateway
- McAfee Vormetric Data Security Manager
- McAfee Web Gateway
- Microsoft ISA Server
- Oracle Cloud Access Security Broker (CASB)
- Proofpoint
- Squid Web Proxy
- SSH Comm Security CryptoAuditor
- Websense Web Filter
Servers
- HP UX Server
- IBM AIX Server
- IBM OS400 Server
- Linux Server
- Microsoft Windows Server
- QNAP Turbo NAS
- Sun Solaris Server
Storage
- Brocade SAN Switch
- Dell Compellant Storage
- Dell EqualLogic Storage
- EMC Clarion Storage
- EMC Isilon Storage
- EMC VNX Storage
- NetApp Data ONTAP
- NetApp Filer Storage
- Nimble Storage
- Nutanix Storage
Threat Intelligence
- FortiInsight
- Lastline
- ThreatConnect
Virtualization
- HyperV
- HyTrust CloudControl
- VMware ESX
VPN Gateways
- Cisco VPN 3000 Gateway
- Cyxtera AppGuard
- Juniper Networks SSL VPN Gateway
- Microsoft PPTP VPN Gateway
- Pulse Secure
Vulnerability Scanners
- AlertLogic
- Green League WVSS
- McAfee Foundstone Vulnerability Scanner
- Qualys QualysGuard Scanner
- Qualys Vulnerability Scanner
- Rapid7 InsightVM Integration (Platform Based Vulnerability Management)
- Rapid7 Nexpose Vulnerability Scanner (Vulnerability Management On-Premises)
- Tenable.io
- Tenable Nessus Vulnerability Scanner
- Tenable Security Center
- YXLink Vulnerability Scanner
WAN Accelerators
- Cisco Wide Area Application Server
- Riverbed SteelHead WAN Accelerator
Wireless LANs
- Aruba Networks Wireless LAN
- Cisco Wireless LAN
- FortiAP
- FortiWLC
- Motorola WiNG WLAN AP
- Ruckus Wireless LAN
Using Virtual IPs to Access Devices in Clustered Environments
Syslog over TLS
SNMP V3 Traps
Flow Support
Appendix
- Access Credentials

Home FortiSIEM 6.2.0 External Systems Configuration Guide

6.2.0

Corero Smartwall Threat Defense System

What is Discovered and Monitored
Event Types
Rules
Reports
Configuration
Settings for Access Credentials
Sample Syslog

What is Discovered and Monitored

Protocol	Information Discovered	Metrics Collected	Used For
Syslog		Security Alerts and Events	Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "Corero-smart" to see the event types associated with this device. In FortiSIEM 6.2.0, there are approximately 3,452 event types defined.

Rules

There are no specific rules available for Corero.

Reports

There are no specific reports available for Corero. You can view all Corero events by taking the following steps.

From the ANALYTICS page, click in the Edit Filters and Time Range field.
Under Filter, select Event Attribute.
In the Attribute field, select/enter "Event Type".
In the Operator field, select "CONTAIN".
In the Value field, enter "Corero-smart".
(Optional) Click Save to save the search parameters for future related searches.
Click Apply & Run.

Configuration

Please refer to the Corero documentation for information on configuring the device at the following link.

https://www.juniper.net/documentation/en_US/corero-smartwall9.5.0/information-products/topic-collections/Corero_SmartWall_CMS_UG/Content/cms_connect_swa.htm

Syslog

FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM on port 514.

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting	Value
Name	<set name>
Device Type	Corero SmartWall
Access Protocol	See Access Credentials
Port	See Access Credentials
Password config	See Password Configuration

Sample Syslog

<165>2020-09-22T18:07:28.905+02:00 10.11.12.13 cat=network,type=sflow,v=1,cl=default,device=Defense_10_12_12_102,profile=default,sc=175,sfn=16,dir=inbound,time=1600790847976000,mp=xe-1/1,issr=1999,isr=1,px=32,lb=0,ipv=4,dip=1.2.3.4,dprt=61205,iplen=1143,prot=6,tos=0,sip=1.2.3.5,sprt=443,ttl=126,bp=0,ep=0,icn=5,scl=0,fp=0,flags=24,flags-decode=PSH:ACK,plen=1161,ptag=37,pdu=0896ad670b22204e71624fc68100002508004500047762f400007e06f701d83ad724b9b9757201bbef15d173297cf6bf83c7501810dec0ad00004b10a65f2b244bb73879b0f4346428273ce3582fe59501013ea113a6bbdc535832cbf1ea85d95ecd7ab906eae299b27f16ee3d74b7fe3d981e33971dad0e03d68f90c03fbfabbd4fb63d081701603f5893e42ef3311b0d4936e9abd39621f62608de62b4466947feeaf3ca9aca54ba8fb8121dd3b5dfa5a3adf0ca8c92bb3cf4398b15edb508901db78409a09e3c