Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

IBM Internet Security Series Proventia

IBM Internet Security Series Proventia

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected
SNMP Traps

Event Types

In ADMIN > Device Support > Event Types, search for "proventia" to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP Trap

FortiSIEM receives SNMP traps from IBM/ISS Proventia IPS appliances that are sent by IBM/ISS SiteProtector Management Console. You must first configure IBM/ISS Proventia to send alerts to IBM/ISS SiteProtector, then configure IBM/ISS SiteProtector to send those alerts as SNMP traps to FortiSIEM.

Configure IBM/ISS Proventia Appliances to Send SNMP Notifications to IBM/ISS SiteProtector Management Console

  1. Log in to the IBM Proventia IPS web interface.
  2. Click Manage System Settings > SiteProtector Management.
  3. Click and select Register withSiteProtector.
  4. Click and select Local Settings Override SiteProtector Group Settings.
  5. Specify the Group, Heartbeat Interval, and Logging Level.
  6. Configure these settings:
    SettingDescription
    Authentication LevelUse the default first-time trust.
    Agent Manager NameEnter the Agent Manager name exactly as it appears in SiteProtector. This setting is case-sensitive.
    Agent Manager AddressEnter the Agent Manager's IP address.
    Agent Manager PortUse the default value 3995.
    User NameIf the appliance has to log into an account access the Agent Manager, enter the user name for that account here.
    User PasswordClick Set Password, enter and confirm the password, and then click OK.
    Use Proxy SettingsIf the appliance has to go through a proxy to access the Agent Manager, select the Use Proxy Settings option, and then enter the Proxy Server Address and Proxy Server Port.
Define FortiSIEM as a Response Object for SNMP Traps
  1. Log in to IBM SiteProtector console.
  2. Go to Grouping > Site Management > Central Responses > Edit settings.
  3. Select Response Objects > SNMP.
  4. Click Add.
  5. Enter a Name for your FortiSIEM virtual appliance.
  6. For Manager, enter the IP address of your virtual appliance.
  7. For Community, enter public.
  8. Click OK.
Define a Response Rule to Forward SNMP Traps to FortiSIEM
  1. Go to Response Rules.
  2. Click Add.
  3. Select Enabled.
  4. Enter a Name and Comment for the response rule.
  5. In the Responses tab, select SNMP.
  6. Select Enabled for the response object that represents your FortiSIEM virtual appliance.
  7. Click OK.
Refining Rules for Specific IP Addresses

By default, a rule matches on any source or destination IP addresses.

  1. To refine the rule to match on a specific source IP address, select the rule, click Edit, and then select the Source tab.
  2. Select Use specific source addresses to restrict the rule based on IP address of the source.
    If you set this option, set the Mode to specify that the rule should either be From or Not From the IP address.
  3. Click Add to define one or more IP addresses.

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type IBM ISS Proventia
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration

Sample SNMP Trap

2013-02-07 16:52:18 100.0.0.218(via UDP: [192.168.64.218]:55545) TRAP, SNMP v1, community public SNMPv2-SMI::enterprises.2499 Enterprise Specific Trap (4) Uptime: 0:00:00.15 SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.1 = STRING: "SiteProtector_Central_Response (Response1)" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.2 = STRING: "16:52:18 2013-02-07" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.3 = STRING: "6" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.4 = STRING: "100.0.0.216" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.5 = STRING: "100.0.0.218" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.6 = "" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.7 = "" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.8 = STRING: "48879" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.9 = STRING: "80" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.10 = STRING: "DISPLAY=WithoutRaw:0,BLOCK=Default:0" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.11 = STRING: " SensorName: IBM-IPS ObjectName: 80 DestinationAddress: 100.0.0.218 AlertName: HTTP_OracleAdmin_Web_Interface AlertTarget: 100.0.0.218 AlertCount: 1 VulnStatus: Simulated block (blocking not enabled) AlertDateTime: 16:52:17 2013-02-07 ObjectType: Target Port SourceAddress: 100.0.0.216 SensorAddress: 192.168.64.15"

IBM Internet Security Series Proventia

IBM Internet Security Series Proventia

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected
SNMP Traps

Event Types

In ADMIN > Device Support > Event Types, search for "proventia" to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP Trap

FortiSIEM receives SNMP traps from IBM/ISS Proventia IPS appliances that are sent by IBM/ISS SiteProtector Management Console. You must first configure IBM/ISS Proventia to send alerts to IBM/ISS SiteProtector, then configure IBM/ISS SiteProtector to send those alerts as SNMP traps to FortiSIEM.

Configure IBM/ISS Proventia Appliances to Send SNMP Notifications to IBM/ISS SiteProtector Management Console

  1. Log in to the IBM Proventia IPS web interface.
  2. Click Manage System Settings > SiteProtector Management.
  3. Click and select Register withSiteProtector.
  4. Click and select Local Settings Override SiteProtector Group Settings.
  5. Specify the Group, Heartbeat Interval, and Logging Level.
  6. Configure these settings:
    SettingDescription
    Authentication LevelUse the default first-time trust.
    Agent Manager NameEnter the Agent Manager name exactly as it appears in SiteProtector. This setting is case-sensitive.
    Agent Manager AddressEnter the Agent Manager's IP address.
    Agent Manager PortUse the default value 3995.
    User NameIf the appliance has to log into an account access the Agent Manager, enter the user name for that account here.
    User PasswordClick Set Password, enter and confirm the password, and then click OK.
    Use Proxy SettingsIf the appliance has to go through a proxy to access the Agent Manager, select the Use Proxy Settings option, and then enter the Proxy Server Address and Proxy Server Port.
Define FortiSIEM as a Response Object for SNMP Traps
  1. Log in to IBM SiteProtector console.
  2. Go to Grouping > Site Management > Central Responses > Edit settings.
  3. Select Response Objects > SNMP.
  4. Click Add.
  5. Enter a Name for your FortiSIEM virtual appliance.
  6. For Manager, enter the IP address of your virtual appliance.
  7. For Community, enter public.
  8. Click OK.
Define a Response Rule to Forward SNMP Traps to FortiSIEM
  1. Go to Response Rules.
  2. Click Add.
  3. Select Enabled.
  4. Enter a Name and Comment for the response rule.
  5. In the Responses tab, select SNMP.
  6. Select Enabled for the response object that represents your FortiSIEM virtual appliance.
  7. Click OK.
Refining Rules for Specific IP Addresses

By default, a rule matches on any source or destination IP addresses.

  1. To refine the rule to match on a specific source IP address, select the rule, click Edit, and then select the Source tab.
  2. Select Use specific source addresses to restrict the rule based on IP address of the source.
    If you set this option, set the Mode to specify that the rule should either be From or Not From the IP address.
  3. Click Add to define one or more IP addresses.

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type IBM ISS Proventia
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration

Sample SNMP Trap

2013-02-07 16:52:18 100.0.0.218(via UDP: [192.168.64.218]:55545) TRAP, SNMP v1, community public SNMPv2-SMI::enterprises.2499 Enterprise Specific Trap (4) Uptime: 0:00:00.15 SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.1 = STRING: "SiteProtector_Central_Response (Response1)" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.2 = STRING: "16:52:18 2013-02-07" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.3 = STRING: "6" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.4 = STRING: "100.0.0.216" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.5 = STRING: "100.0.0.218" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.6 = "" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.7 = "" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.8 = STRING: "48879" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.9 = STRING: "80" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.10 = STRING: "DISPLAY=WithoutRaw:0,BLOCK=Default:0" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.11 = STRING: " SensorName: IBM-IPS ObjectName: 80 DestinationAddress: 100.0.0.218 AlertName: HTTP_OracleAdmin_Web_Interface AlertTarget: 100.0.0.218 AlertCount: 1 VulnStatus: Simulated block (blocking not enabled) AlertDateTime: 16:52:17 2013-02-07 ObjectType: Target Port SourceAddress: 100.0.0.216 SensorAddress: 192.168.64.15"