Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Fortinet FortiNAC

Integration Points

Method Information discovered Metrics collected LOGs collected Used for
Syslog Host name, Reporting IP None Administrative and User Admission Control events Security monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "FortiNAC" to see the event types associated with this device.

Rules

No specific rules are written for FortiNAC but generic rules for network admission control apply

Reports

No specific reports are written for FortiNAC but generic reports for network admission control apply Configuration

Configuration

Configure FortiNAC system to send logs to FortiSIEM in the supported format (see Sample Events).

To configure FortiNAC to send syslog to FortiSIEM, take the following steps:

Note: Refer to the latest FortiNAC Administration Guide for the latest instructions. Steps provided here to configure syslog for FortiSIEM are from the 9.1.0 FortiNAC Administration Guide.

  1. Click System > Settings.

  2. In the left navigation tree, select System Communication > Log Receivers.

  3. Click Add to add a log host.

  4. Enter the configuration parameters from the following table to configure:

    Field

    Definition

    Type Select Syslog Command Event Format (CEF) for FortiSIEM configuration.
    IP address Provide the IP address of the FortiSIEM Collector that will receive Event and Alarm messages.
    Port The default port for Syslog CEF servers is 514. Leave as is.

    Facility

    Displays only when Syslog is selected as the Type. Allows you to configure the message type. The default is 4 security/authorization messages. Leave as is.

  5. Click OK.

Settings for Access Credentials

None required.

Sample Events

<37>Jan 08 19:03:45 : CEF:0|Bradford Networks|FortiNAC-VM-Control and Application Server|8.3.0.79|426|

Adapter Destroyed|1|rt=Jan 08 19:03:45 269 UTC cat=EndStation msg=Adapter 18:5E:0F:AA:56:31 Destroyed.

 

<37>Dec 06 10:34:42 : CEF:0|Bradford Networks|FortiNAC-VM-Control and Application Server|

8.3.1.30|447702|Admin User Login Success|1|rt=Dec 06 10:34:42 736 CET

cat= suid=guiadmin msg=Admin user guiadmin logged in.

 

<37>Apr 16 11:06:19 : CEF:0|Bradford Networks|FortiNAC-VM-Control and Application Server|8.3.6.104|605250|

Security Risk Host|1|rt=Apr 16 11:06:19 447 CEST cat=EndStation src=192.168.242.20 smac=00:26:9E:D9:87:12

shost=X100e-1 cs1Label=Physical<space>network<space>location cs1=BA-HPswitch GigabitEthernet1/0/10

{ GigabitEthernet1/0/10 Interface } msg=Host failed Windows-PA-Notepad Tests: Failed :: Custom :: Notepad

MAC Address: 00:26:9E:D9:87:12 Last Known Adapter IP: 192.168.242.20 Host Location: BA-HPswitch

GigabitEthernet1/0/10 { GigabitEthernet1/0/10 Interface }

Fortinet FortiNAC

Integration Points

Method Information discovered Metrics collected LOGs collected Used for
Syslog Host name, Reporting IP None Administrative and User Admission Control events Security monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "FortiNAC" to see the event types associated with this device.

Rules

No specific rules are written for FortiNAC but generic rules for network admission control apply

Reports

No specific reports are written for FortiNAC but generic reports for network admission control apply Configuration

Configuration

Configure FortiNAC system to send logs to FortiSIEM in the supported format (see Sample Events).

To configure FortiNAC to send syslog to FortiSIEM, take the following steps:

Note: Refer to the latest FortiNAC Administration Guide for the latest instructions. Steps provided here to configure syslog for FortiSIEM are from the 9.1.0 FortiNAC Administration Guide.

  1. Click System > Settings.

  2. In the left navigation tree, select System Communication > Log Receivers.

  3. Click Add to add a log host.

  4. Enter the configuration parameters from the following table to configure:

    Field

    Definition

    Type Select Syslog Command Event Format (CEF) for FortiSIEM configuration.
    IP address Provide the IP address of the FortiSIEM Collector that will receive Event and Alarm messages.
    Port The default port for Syslog CEF servers is 514. Leave as is.

    Facility

    Displays only when Syslog is selected as the Type. Allows you to configure the message type. The default is 4 security/authorization messages. Leave as is.

  5. Click OK.

Settings for Access Credentials

None required.

Sample Events

<37>Jan 08 19:03:45 : CEF:0|Bradford Networks|FortiNAC-VM-Control and Application Server|8.3.0.79|426|

Adapter Destroyed|1|rt=Jan 08 19:03:45 269 UTC cat=EndStation msg=Adapter 18:5E:0F:AA:56:31 Destroyed.

 

<37>Dec 06 10:34:42 : CEF:0|Bradford Networks|FortiNAC-VM-Control and Application Server|

8.3.1.30|447702|Admin User Login Success|1|rt=Dec 06 10:34:42 736 CET

cat= suid=guiadmin msg=Admin user guiadmin logged in.

 

<37>Apr 16 11:06:19 : CEF:0|Bradford Networks|FortiNAC-VM-Control and Application Server|8.3.6.104|605250|

Security Risk Host|1|rt=Apr 16 11:06:19 447 CEST cat=EndStation src=192.168.242.20 smac=00:26:9E:D9:87:12

shost=X100e-1 cs1Label=Physical<space>network<space>location cs1=BA-HPswitch GigabitEthernet1/0/10

{ GigabitEthernet1/0/10 Interface } msg=Host failed Windows-PA-Notepad Tests: Failed :: Custom :: Notepad

MAC Address: 00:26:9E:D9:87:12 Last Known Adapter IP: 192.168.242.20 Host Location: BA-HPswitch

GigabitEthernet1/0/10 { GigabitEthernet1/0/10 Interface }