Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Cisco IronPort Web Gateway

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

Syslog

Squid style web logs: attributes include Source IP Address, Destination Host name, Sent Bytes, Received Bytes, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, URL, HTTP Content type, Web Category, HTTP Proxy Action

Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event Types, search for "ironport-web" to see the event types associated with this device. 

Rules

There are no predefined rules for this device. 

Reports

There are no predefined reports for this device. 

Configuration

Syslog
  1. Log in to your Ironport gateway device manager with administrator privileges. 
  2. Edit the settings for Log Subscription.

    Setting Value
    Log Type Access Logs
    Log Name IronPort-Web
    This identifies the log to FortiSIEM as originating from an IronPort web gateway device 
    Log Style Squid
    Custom Fields %L %B %u
    Enable Log Compression Clear the selection
    Retrieval Method Syslog Push
    Hostname The IP address of your FortiSIEM virtual appliance
    Protocol UDP
Sample Parsed Ironport Web Gateway Syslog

<134>Oct 09 09:19:25 IronPort-Web: Info: 1349795965.314 92 10.163.154.153 TCP_CLIENT_REFRESH_MISS/200 70798 GET http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Kaspersky/Package/1210090007/bases/base1b1d.kdc.cab - DIRECT/forefrontdl.microsoft.com application/octet-stream ALLOW_CUSTOMCAT_11-UnAuthenticated_Applications-APU_No_Auth-NONE-NONE-NONE-DefaultGroup <J_Doe,6.9,-,""-"",-,-,-,-,""-"",-,-,-,""-"",-,-,""-"",""-"",-,-,IW_swup,-,""-"",""-"",""Unknown"",""Unknown"",""-"",""-"",6156.35,0,-,""-"",""-""> - ""09/Oct/2012:09:19:25 -0600"" 71052 ""V3S;{6ADC64A3-11F9-4B04-8257-BEB541BE2975};""

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Cisco IronPort AsyncOS Web
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration

Cisco IronPort Web Gateway

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

Syslog

Squid style web logs: attributes include Source IP Address, Destination Host name, Sent Bytes, Received Bytes, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, URL, HTTP Content type, Web Category, HTTP Proxy Action

Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event Types, search for "ironport-web" to see the event types associated with this device. 

Rules

There are no predefined rules for this device. 

Reports

There are no predefined reports for this device. 

Configuration

Syslog
  1. Log in to your Ironport gateway device manager with administrator privileges. 
  2. Edit the settings for Log Subscription.

    Setting Value
    Log Type Access Logs
    Log Name IronPort-Web
    This identifies the log to FortiSIEM as originating from an IronPort web gateway device 
    Log Style Squid
    Custom Fields %L %B %u
    Enable Log Compression Clear the selection
    Retrieval Method Syslog Push
    Hostname The IP address of your FortiSIEM virtual appliance
    Protocol UDP
Sample Parsed Ironport Web Gateway Syslog

<134>Oct 09 09:19:25 IronPort-Web: Info: 1349795965.314 92 10.163.154.153 TCP_CLIENT_REFRESH_MISS/200 70798 GET http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Kaspersky/Package/1210090007/bases/base1b1d.kdc.cab - DIRECT/forefrontdl.microsoft.com application/octet-stream ALLOW_CUSTOMCAT_11-UnAuthenticated_Applications-APU_No_Auth-NONE-NONE-NONE-DefaultGroup <J_Doe,6.9,-,""-"",-,-,-,-,""-"",-,-,-,""-"",-,-,""-"",""-"",-,-,IW_swup,-,""-"",""-"",""Unknown"",""Unknown"",""-"",""-"",6156.35,0,-,""-"",""-""> - ""09/Oct/2012:09:19:25 -0600"" 71052 ""V3S;{6ADC64A3-11F9-4B04-8257-BEB541BE2975};""

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Cisco IronPort AsyncOS Web
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration