Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

FortiDDoS

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog Host Name, Access IP, Vendor/Model Over 150 event types to include Protocol Anomaly, Traffic Volume Anomaly, DoS Attacks, Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "FortiDDoS" to see the event types associated with this device.

Rules

There are many IPS correlation rules for this device under RESOURCES > Rules > Security > Exploits.

Reports

There are many reports for this device under RESOURCES > Reports > Function > Security.

Configuration

Syslog

FortiSIEM processes FortiDDoS events via syslog. Configure FortiDDoS to send syslog to FortiSIEM as directed in the device's product documentation by taking the following steps:

FortiDDOS documentation available here: https://help.fortinet.com/fddos/4-7-0/index.htm#fortiddos/Configuring_remote_log_server_settings_for_event_l.htm

  1. Navigate to Log & Report > Event Log Remote.

  2. Click Add.

  3. Complete the configuration.

  4. Click Save.

 

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Fortinet FortiDDos
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration

Example Syslog

Jan 10 16:01:50 172.30.84.114 devid=FI400B3913000032 date=2015-01-23 time=17:42:00

type=attack SPP=1 evecode=1 evesubcode=8 dir=0 protocol=1 sIP=0.0.0.0 dIP=0.0.0.0

dropCount=312

devid=FI800B3913000055 date=2017-01-27 time=18:24:00 tz=PST type=attack spp=0 evecode=2

evesubcode=61 description="Excessive Concurrent Connections Per Source flood" dir=1

sip=24.0.0.2 dip=24.255.0.253 subnet_name=default dropcount=40249 facility=Local0

level=Notice

FortiDDoS

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog Host Name, Access IP, Vendor/Model Over 150 event types to include Protocol Anomaly, Traffic Volume Anomaly, DoS Attacks, Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "FortiDDoS" to see the event types associated with this device.

Rules

There are many IPS correlation rules for this device under RESOURCES > Rules > Security > Exploits.

Reports

There are many reports for this device under RESOURCES > Reports > Function > Security.

Configuration

Syslog

FortiSIEM processes FortiDDoS events via syslog. Configure FortiDDoS to send syslog to FortiSIEM as directed in the device's product documentation by taking the following steps:

FortiDDOS documentation available here: https://help.fortinet.com/fddos/4-7-0/index.htm#fortiddos/Configuring_remote_log_server_settings_for_event_l.htm

  1. Navigate to Log & Report > Event Log Remote.

  2. Click Add.

  3. Complete the configuration.

  4. Click Save.

 

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Fortinet FortiDDos
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration

Example Syslog

Jan 10 16:01:50 172.30.84.114 devid=FI400B3913000032 date=2015-01-23 time=17:42:00

type=attack SPP=1 evecode=1 evesubcode=8 dir=0 protocol=1 sIP=0.0.0.0 dIP=0.0.0.0

dropCount=312

devid=FI800B3913000055 date=2017-01-27 time=18:24:00 tz=PST type=attack spp=0 evecode=2

evesubcode=61 description="Excessive Concurrent Connections Per Source flood" dir=1

sip=24.0.0.2 dip=24.255.0.253 subnet_name=default dropcount=40249 facility=Local0

level=Notice