DOCUMENT LIBRARY

External Systems Configuration Guide

FortiSIEM External Systems Configuration Guide Online
Change Log
TABLE OF CONTENTS
Overview
FortiSIEM Port Usage
Supported Devices and Applications by Vendor
Applications
- Application Server
- Authentication Server
- Database Server
- DHCP and DNS Server
- Directory Server
  - Microsoft Active Directory
- Document Management Server
  - Microsoft SharePoint
- Healthcare IT
  - Epic EMR/EHR System
- Mail Server
  - Microsoft Exchange
- Management Server/Appliance
- Remote Desktop
  - Citrix Receiver (ICA)
- Source Code Control
- Unified Communication Server
- Web Server
Blade Servers
- Cisco UCS Server
- HP BladeSystem
Cloud Access Security Broker
- Fortinet FortiCASB
- Oracle Cloud Access Security Broker (CASB)
Cloud Applications
- Alicide.io KAudit
- AWS Access Key IAM Permissions and IAM Policies
- AWS CloudTrail API
- Amazon AWS EC2
- AWS EC2 CloudWatch API
- AWS Elastic Load Balancer
- AWS Kinesis
- AWS RDS
- AWS Security Hub
- AWS Simple Queue Service (SQS)
- Amazon Simple Storage Service (AWS S3)
- Box.com
- Cisco Umbrella
- G42 Cloud
- Google Cloud Platform - Pub/Sub Integration
- Google Workspace (Formerly G Suite and Google Apps)
- Microsoft Azure Audit
- Microsoft Azure Compute
- Microsoft Azure Event Hub
- Microsoft Cloud App Security
- Microsoft Defender for Identity/Microsoft Azure ATP
- Microsoft Entra Identity Protection
- Microsoft Office365 Audit
- Okta
  - Adding Users from Okta
  - Configuring Okta Authentication
  - Logging In to Okta
  - Setting Up External Authentication
- Oracle Cloud Infrastructure
- Salesforce CRM Audit
- Zscaler Nanolog Streaming Service (NSS)
Console Access Devices
- Lantronix SLC Console Manager
Customer Relationship Management
- Workday Enterprise Suite
Digital Risk Protection
- Fortinet FortiRecon
End Point Security Software
- Bit9 Security Platform
- Bitdefender GravityZone
- Carbon Black Security Platform
- Cisco AMP Cloud V0
- Cisco AMP Cloud V1
- Cisco Security Agent (CSA)
- CloudPassage Halo
- Crowdstrike
- Cybereason
- Digital Guardian CodeGreen DLP
- ESET NOD32 Anti-Virus
- FortiClient
- FortiClient EMS
- Fortinet FortiEDR
- Kaspersky
- Malwarebytes Breach Remediation
- MalwareBytes EndPoint Protection
- McAfee ePolicy Orchestrator (ePO)
- Microsoft Windows Defender ATP
- MobileIron Sentry and Connector
- Netwrix Auditor (via Correlog Windows Agent)
- Palo Alto Traps Endpoint Security Manager
- SentinelOne
- Sophos Central
- Sophos Endpoint Security and Control
- Symantec Endpoint Protection
- Symantec SEPM
- Tanium Connect
- Trend Micro Interscan Web Filter
- Trend Micro Intrusion Defense Firewall (IDF)
- Trend Micro OfficeScan
- Trend Vision One
Firewalls
- Check Point FireWall-1
- Check Point Provider-1 Firewall
- Check Point VSX Firewall
- Cisco Adaptive Security Appliance (ASA)
- Cisco Firepower Threat Defense (FTD)
- Clavister Firewall
- Cyberoam Firewall
- Dell SonicWALL Firewall
- Fortinet FortiGate Firewall
- Hillstone Firewall
- Imperva Securesphere Web App Firewall
- Juniper Networks SSG Firewall
- McAfee Firewall Enterprise (Sidewinder)
- Palo Alto Firewall
- Sophos UTM Firewall
- Stormshield Network Security
- Tigera Calico
- UserGate UTM Firewall
- WatchGuard Firebox Firewall
Load Balancers and Application Firewalls
- Barracuda Web Application Firewall
- Brocade ServerIron ADX
- Citrix Netscaler Application Delivery Controller (ADC)
- F5 Networks Application Security Manager
- F5 Networks Local Traffic Manager
- F5 Networks Web Accelerator
- Fortinet FortiADC
- Qualys Web Application Firewall
- Zscaler Cloud Firewall
Log Aggregators
- Fortinet FortiAnalyzer
Network Access Control
- Fortinet FortiNAC
- HPE Aruba Networking ClearPass Policy Manager
Network Compliance Management Applications
- Cisco Network Compliance Manager
- PacketFence Network Access Control (NAC) Integration
Network Detection and Response (NDR)
- Fortinet FortiNDR (Formerly FortiAI)
- Fortinet FortiNDR Cloud
- Zeek Network Security Monitor (Previously known as Bro)
Network Intrusion Detection System
- Microsoft Advanced Threat Analytics (ATA) On Premise Platform
Network Intrusion Prevention Systems (IPS)
- 3COM TippingPoint UnityOne IPS
- AirTight Networks SpectraGuard
- Alert Logic IRIS API
- Armis Asset Intelligence Platform
- Cisco FireSIGHT and FirePower Threat Defense
- Cisco Intrusion Protection System
- Cisco Stealthwatch
- Claroty Continuous Threat Detection
- Corero Smartwall Threat Defense System
- Cylance Protect Endpoint Protection
- Cyphort Cortext Endpoint Protection
- Damballa Failsafe
- Darktrace CyberIntelligence Platform
- Dragos Platform
- FireEye Malware Protection System (MPS)
- FortiDDoS
- Fortinet FortiDeceptor
- Fortinet FortiSandbox
- Fortinet FortiTester
- IBM Internet Security Series Proventia
- Juniper DDoS Secure
- Juniper Networks IDP Series
- McAfee Network Security Platform (Formerly McAfee IntruShield)
- McAfee Stonesoft IPS
- Motorola AirDefense
- Nozomi
- Palo Alto Cortex XDR
- Radware DefensePro
- Snort Intrusion Prevention System
- Sourcefire 3D and Defense Center
- Trend Micro Deep Discovery
- Zeek (Bro) installed on Security Onion
Operational Technology
- APC Netbotz Environmental Monitor
- APC UPS
- Claroty Continuous Threat Detection
- Dragos Platform
- Generic UPS
- Hirschman SCADA Firewalls and Switches
- Liebert FPC
- Liebert HVAC
- Liebert UPS
- Microsoft Defender for IoT (Was CyberX OT/IoT Security)
- Nozomi Central Management Control
- Nozomi SCADAguardian
- OTORIO RAM2 (Risk Assessment, Monitoring and Management)
Routers and Switches
- Alcatel TiMOS and AOS Switch
- Arista Router and Switch
- ArubaOS-CX Switching Platform
- Brocade NetIron CER Routers
- Cisco 300 Series Routers
- Cisco IOS Router and Switch
  - How CPU and Memory Utilization is Collected for Cisco IOS
- Cisco Meraki Cloud Controller and Network Devices
- Cisco NX-OS Router and Switch
- Cisco ONS
- Cisco Viptela SDWAN Router
- Dell Force10 Router and Switch
- Dell NSeries Switch
- Dell PowerConnect Switch and Router
- Foundry Networks IronWare Router and Switch
- HP/3Com ComWare Switch
- HP ProCurve Switch
- HP Value Series (19xx) and HP 3Com (29xx) Switch
- Hirschman SCADA Firewalls and Switches
- Juniper Networks JunOS Switch
- Mikrotek Router
- Nortel ERS and Passport Switch
Security Gateways
- Barracuda Networks Spam Firewall
- Blue Coat Web Proxy
- Cisco IronPort Mail Gateway
- Cisco IronPort Web Gateway
- Fortinet FortiMail
- Fortinet FortiProxy
- Fortinet FortiWeb
- Imperva Securesphere DB Monitoring Gateway
- Imperva Securesphere Security Gateway
- McAfee Web Gateway
- Microsoft ISA Server
- Proofpoint
- Squid Web Proxy
- SSH Comm Security CryptoAuditor
- Thales Vormetric Data Security Manager
- Websense Web Filter
Security Information and Event Management
- SAP Enterprise Threat Detection (ETD)
Security Orchestration (SOAR)
- Fortinet FortiSOAR
Servers and Workstations
- Apple MacOS Server
- HP UX Server
- IBM AIX Server
- IBM OS400 Server
- Linux Server
- Microsoft Windows Server
- QNAP Turbo NAS
- Sun Solaris Server
Storage
- Brocade SAN Switch
- Dell Compellant Storage
- Dell EqualLogic Storage
- EMC Clarion Storage
- EMC Isilon Storage
- EMC VNX Storage
- NetApp DataOnTap
- NetApp Filer Storage
- Nimble Storage
- Nutanix Storage
Threat Intelligence
- FortiInsight
- Lastline
- ThreatConnect
Virtualization
- HyperV
- HyTrust CloudControl
- KVM
- Nutanix Prism
- VMware ESX
VPN Gateways
- Cisco VPN 3000 Gateway
- Cyxtera AppGuard
- Juniper Networks SSL VPN Gateway
- Microsoft PPTP VPN Gateway
- Pulse Secure
Vulnerability Scanners
- AlertLogic
- Digital Defense Frontline Vulnerability Manager
- Green League WVSS
- McAfee Vulnerability Manager (Formerly McAfee Foundstone Vulnerability Scanner)
- Qualys QualysGuard Scanner
- Qualys Vulnerability Scanner
- Rapid7 NeXpose Vulnerability Scanner (Vulnerability Management On-Premises)
- Rapid7 InsightVM (Platform Based Vulnerability Management)
- Tenable.io
- Tenable Nessus Vulnerability Scanner
- Tenable Security Center
- YXLink Vulnerability Scanner
WAN Accelerators
- Cisco Wide Area Application Server
- Riverbed SteelHead WAN Accelerator
Wireless LANs
- Aruba Networks Wireless LAN
- Cisco Wireless LAN
- CradlePoint
- FortiAP
- FortiWLC
- Motorola WiNG WLAN AP
- Ruckus Wireless LAN
- Ubiquiti
Generic Log API Poller (HTTPS_ADVANCED) Integration
Ingesting JSON Formatted Events Received via HTTP(S) POST
Using Virtual IPs to Access Devices in Clustered Environments
Syslog
Syslog over TLS
SNMP V3 Traps
Flow Support
Appendix
- CyberArk to FortiSIEM Log Converter XSL
- Access Credentials

Home FortiSIEM 7.1.3 External Systems Configuration Guide

7.1.3

ArubaOS-CX Switching Platform

Support Added: FortiSIEM 6.3.2

Vendor: Aruba Networks (a Hewlett Packard Enterprise company)

Product Information: https://www.arubanetworks.com/products/switches/

What is Discovered and Monitored
Configuration
Sample Events

What is Discovered and Monitored

The following protocols are used to discover and monitor various aspects of ArubaOS-CX switches.

Protocol	Metrics Collected	Used For
Syslog	Audit logs, General Performance and Availability logs	Security and Compliance

Configuration

Logging allows you to add syslog servers where the event log messages related to the AOS-CX switches are saved. For each of the syslog server added, you can configure the severity of the event logs to be saved on these servers. Configuration of the severity level for the debug logs can be done by configuring the severity at the global level. However, a minimum of one syslog server must be added to configure the global severity level.

Configuration via CLI
Configuration via GUI

Configuration via CLI

To configure syslog for an ArubaOS-CX switch, run the following CLI command.

logging <destIP or FQDN of FortiSIEM collector>

Example: logging 192.0.2.0

Configuration via GUI

To configure syslog for an ArubaOS-CX switch, take the following steps.

Note: For the latest configuration instructions, see Configuring Logging Servers for AOX-CX at https://help.central.arubanetworks.com/latest/documentation/online_help/content/aos-cx/cfg/conf-cx-logging.htm

In the Network Operations app, select one of the following options:
1. To select a group in the filter:
  1. Set the filter to a group. The dashboard context for the group is displayed.
  2. Under Manage, click Devices > Switches.
  3. Click the AOS-CX or the Config icon to view the AOS-CX switch configuration dashboard.
2. To select a switch:
  1. Set the filter to Global or a group containing at least one switch.
  2. Under Manage, click Devices > Switches. A list of switches is displayed in the List view.
  3. Click an AOS-CX switch under Device Name. The dashboard context for the switch is displayed.
  4. Under Manage, click Device.
    
    The AOS-CX UI configuration page is displayed.
Click System > Logging. The Logging page is displayed.
Select the debug syslog severity level at the global level from the Level drop-down list.This severity level is applied to the debug logs that are saved on the syslog servers. You must add a minimum of one event syslog server before configuring the global severity level.

In the Logging Servers table, click + to add a logging server and configure the following parameters in the Add Logging Server page.

Parameters	Description	Value
FQDN or IP address	Fully Qualified Domain Name (FQDN) hostname or IP address of the logging server.	Enter the IPv4 address in the x.x.x.x format or the hostname of the server.
Level	Severity level of the events that the logging server must log.	The following severity levels are supported: Emergency Critical Alert Error Warning Notice Information Debug
VRF	VRF on which the logging server is configured.	Default or Management.

Parameters

Description

Value

FQDN or IP address

Fully Qualified Domain Name (FQDN) hostname or IP address of the logging server.

Enter the IPv4 address in the x.x.x.x format or the hostname of the server.

Level

Severity level of the events that the logging server must log.

The following severity levels are supported:

Emergency
Critical
Alert
Error
Warning
Notice
Information
Debug

VRF

VRF on which the logging server is configured.

Default or Management.

Click Apply and then click Save.
To edit parameters of a logging server, select the row in the Logging Servers table and click the edit icon. The Edit Logging Server page is displayed. You can edit only the event log severity level and the VRF.
Click Apply and then click Save.
To delete the syslog server, select the row in the Logging Servers table and click the delete icon.
Click OK in the confirmation pop-up and then click Save.

Sample Events

<190>1 2021-08-31T12:29:06.148824-06:00 lab-1 hpe-restd 886 - - Event|4604|LOG_INFO|AMM|-|Session started for user user1, session reO7LY123452GW7JlMw==
<190>1 2021-09-01T07:43:56.409226-06:00 lab-1 hpe-restd 886 - - Event|4609|LOG_INFO|AMM|-|User aruba-admin added newuser-test with role admin-role