Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Fortinet FortiMail

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog   System events (e.g. configuration changes), System up/down/restart events, Performance issues, Admin logon events, malware attachments Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event Types, search for "fortimail" to see the event types associated with this device.

Rules

In RESOURCES > Rules, search for "fortimail" in the main content panel Search... field to see the rules associated with this device.

For generic availability rules, see RESOURCES > Rules > Availability > Network.

For generic performance rules, see RESOURCES > Rules > Performance > Network.

Reports

In RESOURCES > Reports, search for "fortimail" in the main content panel Search... field to see the reports associated with this device.

Configuration

Syslog

Configure FortiMail appliance to send logs to FortiSIEM. Make sure the format matches.

In the FortiMail GUI go to Log & Report > Log Setings > Remote (tab) > New.

Suggested Logging configuration:

Name

Description

Name Define a name for the configuration.
Server name/IP Enter the resolvable DNS name or IP of the FortiSIEM appliance where logs will be sent.
Server port 514
Mode UDP
Level Information
Facility kern
CSV format leave disabled
Matched session only leave disabled

Sample Parsed FortiMail Syslog

date=2012-08-17 time=12:26:41 device_id=FE100C3909600504 log_id=0001001623 type=event

subtype=admin pri=information user=admin ui=GUI(172.20.120.26) action=login status=success

reason=none msg="User admin login successfully from GUI(172.20.120.26)"

date=2012-07-16 time=12:22:56 device_id=FE100C3909600504 log_id=0200001075 type=statistics

pri=information session_id="q6GJMuPu003642-q6GJMuPv003642" client_name="[172.20.140.94]"

dst_ip="172.20.140.92" endpoint="" from="user@external.lab" to="user5@external.lab"

subject=""mailer="mta" resolved="OK" direction="in" virus="" disposition="Reject"

classifier="Recipient Verification" message_length="188"

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Fortinet FortiMail
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration

Fortinet FortiMail

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog   System events (e.g. configuration changes), System up/down/restart events, Performance issues, Admin logon events, malware attachments Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event Types, search for "fortimail" to see the event types associated with this device.

Rules

In RESOURCES > Rules, search for "fortimail" in the main content panel Search... field to see the rules associated with this device.

For generic availability rules, see RESOURCES > Rules > Availability > Network.

For generic performance rules, see RESOURCES > Rules > Performance > Network.

Reports

In RESOURCES > Reports, search for "fortimail" in the main content panel Search... field to see the reports associated with this device.

Configuration

Syslog

Configure FortiMail appliance to send logs to FortiSIEM. Make sure the format matches.

In the FortiMail GUI go to Log & Report > Log Setings > Remote (tab) > New.

Suggested Logging configuration:

Name

Description

Name Define a name for the configuration.
Server name/IP Enter the resolvable DNS name or IP of the FortiSIEM appliance where logs will be sent.
Server port 514
Mode UDP
Level Information
Facility kern
CSV format leave disabled
Matched session only leave disabled

Sample Parsed FortiMail Syslog

date=2012-08-17 time=12:26:41 device_id=FE100C3909600504 log_id=0001001623 type=event

subtype=admin pri=information user=admin ui=GUI(172.20.120.26) action=login status=success

reason=none msg="User admin login successfully from GUI(172.20.120.26)"

date=2012-07-16 time=12:22:56 device_id=FE100C3909600504 log_id=0200001075 type=statistics

pri=information session_id="q6GJMuPu003642-q6GJMuPv003642" client_name="[172.20.140.94]"

dst_ip="172.20.140.92" endpoint="" from="user@external.lab" to="user5@external.lab"

subject=""mailer="mta" resolved="OK" direction="in" virus="" disposition="Reject"

classifier="Recipient Verification" message_length="188"

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Fortinet FortiMail
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration