Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 6.3.1 External Systems Configuration Guide
    6.3.1
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    Blue Coat Web Proxy

    Blue Coat Web Proxy

    What is Discovered and Monitored

    Protocol

    Information discovered

    Metrics collected

    Used for

    SNMP

    Host name, Interfaces, Serial number

    CPU utilization, Memory utilization

    Performance Monitoring

    SNMP

    Proxy performance: Proxy cache object count, Proxy-to-server metrics: HTTP errors, HTTP requests, HTTP traffic (KBps); Server-to-proxy metrics: HTTP traffic (KBps), Client-to-proxy metrics: HTTP requests, HTTP Cache hit, HTTP errors, HTTP traffic (KBps); Proxy-to-client metrics: HTTP traffic (KBytes)

    Performance Monitoring

    SFTP

    Proxy traffic: attributes include Source IP, Destination IP, Destination Name, Destination Port, URL, Web category, Proxy action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration

    Security Monitoring and compliance

    Syslog

    Admin authentication success and failure

    Security Monitoring and compliance

    Event Types

    In ADMIN > Device Support > Event Types, search for "blue coat" to see the event types associated with this device.

    Rules

    There are no predefined rules for this device.

    Reports

    There are no predefined reports for this device.

    Configuration

    SNMP

    The following procedures enable FortiSIEM to discover Bluecoat web proxy.

    1. Log in to your Blue Coat management console.
    2. Go to Maintenance > SNMP.
    3. Under SNMP General, select Enable SNMP.
    4. Under Community Strings, click Change Read Community, and then enter a community string that FortiSIEM can use to access your device.
    5. Click OK.
    Syslog

    Syslog is used by Blue Coat to send audit logs to FortiSIEM.

    1. Log in to your Blue Coat management console.
    2. Go to Maintenance > Event Logging.
    3. Under Level, select Severe Errors, Configuration Events, Policy Messages, and Informational.
    4. Under Syslog, enter the IP address of your FortiSIEM virtual appliance for Loghost.
    5. Select Enable syslog.
    6. Click Apply.
    Sample Syslog Event

    <111>2020-12-04T00:15:15 Bluecoatsyslog time-taken="39", c-ip="105.128.196.10", cs-username="user.example", cs-auth-group="-", cs-categories="Web Ads/Analytics", sc-status="200", cs-uri-scheme="https", cs-host="cdn.somedomain.com", cs-uri-port="443", cs-uri-extension="js", cs(User-Agent)="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36", cs-uri-path="/base_src.js", cs-method="GET", cs-bytes="629", r-ip="123.123.25.25", rs(Content-Type)="application/javascript", s-action="TCP_NC_MISS", s-ip="212.212.212.5", sc-bytes="7205", sc-filter-result="OBSERVED", x-exception-id="-", x-virus-id="-", x-rs-certificate-observed-errors="none", x-cs-ocsp-error="-", x-rs-ocsp-error="-", x-rs-connection-negotiated-cipher-strength="high", x-rs-certificate-hostname="*.somedomain.com", x-rs-certificate-hostname-category="Web Ads/Analytics"
    Access Logging

    To configure access logging, take the following steps.

    1. Log in to the Blue Coat Management Console.

    2. Select Configuration > Access Logging > Formats.

    3. Select New.

    4. Type a format name for the custom format and paste the following configs:

      <111>$(date)T$(x-bluecoat-hour-utc):$(x-bluecoat-minute-utc):$(x-bluecoat-second-utc) Bluecoatsyslog time-taken=\"$(time-taken)\", c-ip=\"$(c-ip)\", cs-username=\"$(cs-username)\", cs-auth-group=\"$(cs-auth-group)\", cs-categories=$(cs-categories), sc-status=\"$(sc-status)\", cs-uri-scheme=\"$(cs-uri-scheme)\", cs-host=\"$(cs-host)\", cs-uri-port=\"$(cs-uri-port)\", cs-uri-extension=\"$(cs-uri-extension)\", cs(User-Agent)=\"$(cs(User-Agent))\", cs-uri-path=\"$(cs-uri-path)\", cs-method=\"$(cs-method)\", cs-bytes=\"$(cs-bytes)\", r-ip=\"$(r-ip)\", rs(Content-Type)=\"$(rs(Content-Type))\", s-action=\"$(s-action)\", s-ip=\"$(s-ip)\", sc-bytes=\"$(sc-bytes)\", sc-filter-result=\"$(sc-filter-result)\", x-exception-id=\"$(x-exception-id)\", x-virus-id=\"$(x-virus-id)\", x-rs-certificate-observed-errors=\"$(x-rs-certificate-observed-errors)\", x-cs-ocsp-error=\"$(x-cs-ocsp-error)\", x-rs-ocsp-error=\"$(x-rs-ocsp-error)\", x-rs-connection-negotiated-cipher-strength=\"$(x-rs-connection-negotiated-cipher-strength)\", x-rs-certificate-hostname=\"$(x-rs-certificate-hostname)\", x-rs-certificate-hostname-category=$(x-rs-certificate-hostname-category)

    5. Select transport option.

    6. Save your format.

    7. Click OK.

    8. Specify the IP address for the client that is receiving the logs.

    9. Click Apply.

    Previous
    Next

    Blue Coat Web Proxy

    Blue Coat Web Proxy

    What is Discovered and Monitored

    Protocol

    Information discovered

    Metrics collected

    Used for

    SNMP

    Host name, Interfaces, Serial number

    CPU utilization, Memory utilization

    Performance Monitoring

    SNMP

    Proxy performance: Proxy cache object count, Proxy-to-server metrics: HTTP errors, HTTP requests, HTTP traffic (KBps); Server-to-proxy metrics: HTTP traffic (KBps), Client-to-proxy metrics: HTTP requests, HTTP Cache hit, HTTP errors, HTTP traffic (KBps); Proxy-to-client metrics: HTTP traffic (KBytes)

    Performance Monitoring

    SFTP

    Proxy traffic: attributes include Source IP, Destination IP, Destination Name, Destination Port, URL, Web category, Proxy action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration

    Security Monitoring and compliance

    Syslog

    Admin authentication success and failure

    Security Monitoring and compliance

    Event Types

    In ADMIN > Device Support > Event Types, search for "blue coat" to see the event types associated with this device.

    Rules

    There are no predefined rules for this device.

    Reports

    There are no predefined reports for this device.

    Configuration

    SNMP

    The following procedures enable FortiSIEM to discover Bluecoat web proxy.

    1. Log in to your Blue Coat management console.
    2. Go to Maintenance > SNMP.
    3. Under SNMP General, select Enable SNMP.
    4. Under Community Strings, click Change Read Community, and then enter a community string that FortiSIEM can use to access your device.
    5. Click OK.
    Syslog

    Syslog is used by Blue Coat to send audit logs to FortiSIEM.

    1. Log in to your Blue Coat management console.
    2. Go to Maintenance > Event Logging.
    3. Under Level, select Severe Errors, Configuration Events, Policy Messages, and Informational.
    4. Under Syslog, enter the IP address of your FortiSIEM virtual appliance for Loghost.
    5. Select Enable syslog.
    6. Click Apply.
    Sample Syslog Event

    <111>2020-12-04T00:15:15 Bluecoatsyslog time-taken="39", c-ip="105.128.196.10", cs-username="user.example", cs-auth-group="-", cs-categories="Web Ads/Analytics", sc-status="200", cs-uri-scheme="https", cs-host="cdn.somedomain.com", cs-uri-port="443", cs-uri-extension="js", cs(User-Agent)="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36", cs-uri-path="/base_src.js", cs-method="GET", cs-bytes="629", r-ip="123.123.25.25", rs(Content-Type)="application/javascript", s-action="TCP_NC_MISS", s-ip="212.212.212.5", sc-bytes="7205", sc-filter-result="OBSERVED", x-exception-id="-", x-virus-id="-", x-rs-certificate-observed-errors="none", x-cs-ocsp-error="-", x-rs-ocsp-error="-", x-rs-connection-negotiated-cipher-strength="high", x-rs-certificate-hostname="*.somedomain.com", x-rs-certificate-hostname-category="Web Ads/Analytics"
    Access Logging

    To configure access logging, take the following steps.

    1. Log in to the Blue Coat Management Console.

    2. Select Configuration > Access Logging > Formats.

    3. Select New.

    4. Type a format name for the custom format and paste the following configs:

      <111>$(date)T$(x-bluecoat-hour-utc):$(x-bluecoat-minute-utc):$(x-bluecoat-second-utc) Bluecoatsyslog time-taken=\"$(time-taken)\", c-ip=\"$(c-ip)\", cs-username=\"$(cs-username)\", cs-auth-group=\"$(cs-auth-group)\", cs-categories=$(cs-categories), sc-status=\"$(sc-status)\", cs-uri-scheme=\"$(cs-uri-scheme)\", cs-host=\"$(cs-host)\", cs-uri-port=\"$(cs-uri-port)\", cs-uri-extension=\"$(cs-uri-extension)\", cs(User-Agent)=\"$(cs(User-Agent))\", cs-uri-path=\"$(cs-uri-path)\", cs-method=\"$(cs-method)\", cs-bytes=\"$(cs-bytes)\", r-ip=\"$(r-ip)\", rs(Content-Type)=\"$(rs(Content-Type))\", s-action=\"$(s-action)\", s-ip=\"$(s-ip)\", sc-bytes=\"$(sc-bytes)\", sc-filter-result=\"$(sc-filter-result)\", x-exception-id=\"$(x-exception-id)\", x-virus-id=\"$(x-virus-id)\", x-rs-certificate-observed-errors=\"$(x-rs-certificate-observed-errors)\", x-cs-ocsp-error=\"$(x-cs-ocsp-error)\", x-rs-ocsp-error=\"$(x-rs-ocsp-error)\", x-rs-connection-negotiated-cipher-strength=\"$(x-rs-connection-negotiated-cipher-strength)\", x-rs-certificate-hostname=\"$(x-rs-certificate-hostname)\", x-rs-certificate-hostname-category=$(x-rs-certificate-hostname-category)

    5. Select transport option.

    6. Save your format.

    7. Click OK.

    8. Specify the IP address for the client that is receiving the logs.

    9. Click Apply.

    Previous
    Next