Fortinet black logo

External Systems Configuration Guide

AWS Elastic Load Balancer

AWS Elastic Load Balancer (ELB)

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
AWS API Permitted traffic Log analysis

Event Types

In ADMIN > Device Support > Event Types, search for "aws elb" to see the event types associated with this device.

Rules

There are no specific rules available for AWS ELB.

Reports

In RESOURCES > Reports, search for "aws elb" in the main content panel Search... field to see the reports associated with this device.

Configuration

Setup in AWS

Follow the steps here to complete your setup in AWS.

Enable Elastic Load Balancing Access Logs

Take the following steps to enable Elastic Load Balancing Access Logs.

  1. Go to the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  2. On the navigation pane, under LOAD BALANCING, select Load Balancers.
  3. Select your load balancer.
  4. On the Description tab, select Configure Access Logs.
  5. On the Configure Access Logs page, take the following steps:
    1. Select Enable access logs.
    2. Leave Interval as the default (60 minutes).
    3. At S3 location, enter the name of your S3 bucket, including the prefix, for example, my-loadbalancer-logs/my-app. You can specify the name of an existing bucket or a name for a new bucket.
    4. (Optional) If the bucket does not exist, select Create this location for me. You must specify a name that is unique across all existing bucket names in Amazon S3 and follows the DNS naming conventions. For more information, see Bucket naming rules in the Amazon Simple Storage Service Guide.
    5. Click Save.
Enable Event Notifications

Take the following steps to enable Event Notifications.

  1. Go to the Amazon S3 console at https://s3.console.aws.amazon.com/s3/.
  2. Select your bucket.
  3. Click Properties.
  4. Click Event notifications > Create event notification.
    1. Input Event name and Prefix.
    2. Select All object create events for Event Types.
    3. Select SQS queue for Destination.
    4. Select your SQS.
    5. Click Save changes.

    Notes:

    • There are no other servers to use with SQS. This is because the format of the message in SQS coming from other servers may not be the same as that coming from S3 used by the ELB server. For example, a message coming from the Cloudtrail server may not be the same.

    • Ensure the Message retention period property for SQS is 12 hours.

    • Ensure the Default visibility timeout property for SQS is 1 day.

Generate a New Access Key
  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, select Users.
  3. Click Add user.
  4. In the User Name field, enter a user name.
  5. For AWS access type, select Programmatic access.
  6. Click Next: Permissions.
  7. Select the Attach existing policies directly tab.
  8. Select AmazonS3ReadOnlyAccess and AmazonSQSFullAccess.
  9. Click Next: Tags, then click Next: Review.
  10. Click Create user.
  11. Click Download Credentials. The downloaded CSV file contains the Access Key ID and Secret Access Key that will be used in FortiSIEM.
  12. Click Close.

If you have not already configured Access Keys and permissions in AWS, please follow the steps outlined in AWS Access Key IAM Permissions and IAM Policies.

You can now configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. You should also be sure to read the topic Discovering Amazon Web Services (AWS) Infrastructure.

Setup in FortiSIEM

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:
      Note: Make sure no other devices use the same credential, otherwise events may appear missing.

      SettingsDescription
      NameEnter a name for the credential
      Device TypeAmazon AWS ELB
      Access ProtocolAWS_ELB
      RegionThe region in which your AWS instance is located
      BucketThe AWS S3 bucket
      SQS Queue URLProvide the full URL, for example: https://sqs.us-west-2.amazonaws.com/623885071509/sqsforloadblancer
      Password ConfigSee Password Configuration.
      Access Key IDThe access key for your EC2 instance
      Secret KeyThe secret key for your EC2 instance

      Confirm Secret Key

      Enter the secret key for validation.

      Session Token

      If you provided an access key, you can leave this field blank.

      Organization

      Select an organization from the drop-down list.

      DescriptionDescription about the device
  3. In Step 2: Enter IP Range to Credential Associations, click New.
    1. Enter a host name, an IP, or an IP range in the IP/Host Name field.
    2. Select the name of your credential from the Credentials drop-down list.
    3. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to AWS ELB.
  5. To see the jobs associated with AWS ELB, select ADMIN > Setup > Pull Events.
  6. To see the received events select ANALYTICS, then enter "ELB" in the search box.

Sample Event

AWS-ELB:phCustId=1,reptDevIpAddr=10.10.103.205,reptDevName=amazon.com,msg=http 2021-02-11T01:56:06.000372Z app/shashi-elb/061d492a88a60fb1 10.10.168.108:46938 - -1 -1 -1 503 - 500 337 "POST http://10.10.29.144:80/boaform/admin/formLogin HTTP/1.1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0" - - arn:aws:elasticloadbalancing:us-west-2:623885071509:targetgroup/shashi-tg/974fbb8764192573 "Root=1-60248eb5-01950dcf187ac3c244ab2231" "-" "-" 0 2021-02-11T01:56:05.999000Z "forward" "-" "-" "-" "-" "-" "-"

AWS Elastic Load Balancer (ELB)

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
AWS API Permitted traffic Log analysis

Event Types

In ADMIN > Device Support > Event Types, search for "aws elb" to see the event types associated with this device.

Rules

There are no specific rules available for AWS ELB.

Reports

In RESOURCES > Reports, search for "aws elb" in the main content panel Search... field to see the reports associated with this device.

Configuration

Setup in AWS

Follow the steps here to complete your setup in AWS.

Enable Elastic Load Balancing Access Logs

Take the following steps to enable Elastic Load Balancing Access Logs.

  1. Go to the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  2. On the navigation pane, under LOAD BALANCING, select Load Balancers.
  3. Select your load balancer.
  4. On the Description tab, select Configure Access Logs.
  5. On the Configure Access Logs page, take the following steps:
    1. Select Enable access logs.
    2. Leave Interval as the default (60 minutes).
    3. At S3 location, enter the name of your S3 bucket, including the prefix, for example, my-loadbalancer-logs/my-app. You can specify the name of an existing bucket or a name for a new bucket.
    4. (Optional) If the bucket does not exist, select Create this location for me. You must specify a name that is unique across all existing bucket names in Amazon S3 and follows the DNS naming conventions. For more information, see Bucket naming rules in the Amazon Simple Storage Service Guide.
    5. Click Save.
Enable Event Notifications

Take the following steps to enable Event Notifications.

  1. Go to the Amazon S3 console at https://s3.console.aws.amazon.com/s3/.
  2. Select your bucket.
  3. Click Properties.
  4. Click Event notifications > Create event notification.
    1. Input Event name and Prefix.
    2. Select All object create events for Event Types.
    3. Select SQS queue for Destination.
    4. Select your SQS.
    5. Click Save changes.

    Notes:

    • There are no other servers to use with SQS. This is because the format of the message in SQS coming from other servers may not be the same as that coming from S3 used by the ELB server. For example, a message coming from the Cloudtrail server may not be the same.

    • Ensure the Message retention period property for SQS is 12 hours.

    • Ensure the Default visibility timeout property for SQS is 1 day.

Generate a New Access Key
  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, select Users.
  3. Click Add user.
  4. In the User Name field, enter a user name.
  5. For AWS access type, select Programmatic access.
  6. Click Next: Permissions.
  7. Select the Attach existing policies directly tab.
  8. Select AmazonS3ReadOnlyAccess and AmazonSQSFullAccess.
  9. Click Next: Tags, then click Next: Review.
  10. Click Create user.
  11. Click Download Credentials. The downloaded CSV file contains the Access Key ID and Secret Access Key that will be used in FortiSIEM.
  12. Click Close.

If you have not already configured Access Keys and permissions in AWS, please follow the steps outlined in AWS Access Key IAM Permissions and IAM Policies.

You can now configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. You should also be sure to read the topic Discovering Amazon Web Services (AWS) Infrastructure.

Setup in FortiSIEM

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:
      Note: Make sure no other devices use the same credential, otherwise events may appear missing.

      SettingsDescription
      NameEnter a name for the credential
      Device TypeAmazon AWS ELB
      Access ProtocolAWS_ELB
      RegionThe region in which your AWS instance is located
      BucketThe AWS S3 bucket
      SQS Queue URLProvide the full URL, for example: https://sqs.us-west-2.amazonaws.com/623885071509/sqsforloadblancer
      Password ConfigSee Password Configuration.
      Access Key IDThe access key for your EC2 instance
      Secret KeyThe secret key for your EC2 instance

      Confirm Secret Key

      Enter the secret key for validation.

      Session Token

      If you provided an access key, you can leave this field blank.

      Organization

      Select an organization from the drop-down list.

      DescriptionDescription about the device
  3. In Step 2: Enter IP Range to Credential Associations, click New.
    1. Enter a host name, an IP, or an IP range in the IP/Host Name field.
    2. Select the name of your credential from the Credentials drop-down list.
    3. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to AWS ELB.
  5. To see the jobs associated with AWS ELB, select ADMIN > Setup > Pull Events.
  6. To see the received events select ANALYTICS, then enter "ELB" in the search box.

Sample Event

AWS-ELB:phCustId=1,reptDevIpAddr=10.10.103.205,reptDevName=amazon.com,msg=http 2021-02-11T01:56:06.000372Z app/shashi-elb/061d492a88a60fb1 10.10.168.108:46938 - -1 -1 -1 503 - 500 337 "POST http://10.10.29.144:80/boaform/admin/formLogin HTTP/1.1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0" - - arn:aws:elasticloadbalancing:us-west-2:623885071509:targetgroup/shashi-tg/974fbb8764192573 "Root=1-60248eb5-01950dcf187ac3c244ab2231" "-" "-" 0 2021-02-11T01:56:05.999000Z "forward" "-" "-" "-" "-" "-" "-"