Fortinet white logo
Fortinet white logo

User Guide

Forwarding FortiADC attack logs to Threat Analytics

Forwarding FortiADC attack logs to Threat Analytics

Through the FortiADC integration with FortiWeb Cloud Threat Analytics, you can forward FortiADC attack logs to FortiWeb Cloud where the Al-based Threat Analytics engine identifies unknown attack patterns by parsing through all FortiADC attack logs and then aggregating similar or related attack logs into single incidents. This allows you to use these identified attack patterns to protect your application against the identified threats.

Prerequisites for using Threat Analytics for FortiADC attack logs:

  • You must have a valid Threat Analytics service license.

  • You must have the Threat Analytics service enabled in FortiADC.

Please note that when your license expires or becomes invalid, the log forwarding will stop immediately regardless of whether the Threat Analytics service is enabled.

14-Day Evaluation license

A 14-day Evaluation license is offered to customers who would want to evaluate the Threat Analytics service. This 14- day Evaluation license can only be used once. To activate the 14-day Evaluation license, enable Threat Analytics connector from Security Fabric > Fabric Connectors. During this 14-day trial period, you can disable and re-enable Threat Analytics anytime. The 14-day trial period starts from the first time Threat Analytics is enabled. When you are ready to purchase the full license with the Threat Analytics service, contact the Fortinet Sales team.

To enable Threat Analytics:

  1. Register the license with the Threat Analytics feature on the Support site: HTTPs://support.fortinet.com
  2. Log in to FortiADC.
  3. In the Dashboard > Status License widget, check the status ofThreat Analytics. The status should be displayed as Valid.

  4. Go to Security Fabric > Fabric Connectors. Under Other Fortinet Products section, locate the Threat Analytics connector.

  5. Enable Threat Analytics.

    GUI

    Go to Security Fabric > Fabric Connectors and enable the Threat Analytics connector.

  6. CLI

    config system global

    set threat-analytics enable

    set threat-analytics-authrul <auth-url>

    end

    If you do not have an active Threat Analytics contract, you will receive the following message:

  7. Once the Threat Analytics connector successfully connects FortiADC to the FortiWeb Cloud Threat Analytics service, a new local certificate and CA will be created. Check the certificates and CA to ensure they are present.

    1. Go to System > Manage Certificates to locate the new local certificate with the name Threat_analytics_cert_<date_of_today>.

    2. Go to System > Verify to locate the new CA with the name Threat_analytics_CA_<date_of_today>.

    3. A new syslog global_remote server will be created with the FQDN address type and with the comment "fweb_cloud".
  8. Wait to allow FortiADC to generate attack logs and forward them to FortiWeb Cloud.
  9. Log In to FortiWeb Cloud with the account you used when registering your license on the Fortinet Support site.

Do not delete of modify the syslog remote and certificate/CA entry. Threat Analytics cannot be functional without these configurations.

Threat Analytics in VDOM

When Threat Analytics is enabled in VDOMs, Override in the Syslog Server configuration will be disabled in order to use the global syslog server. If you have previously enabled Override in the Syslog Server configuration, then the default global syslog server list would be removed and you may use a new syslog server list specifically defined in the VDOM. By default, the new syslog remote server would also be created in all the VDOMs with Threat Analytics enabled, which disables Override in order to use the global syslog server. When Threat Analytics is enabled, it will always use the global or root DNS, and not the VDOM's DNS.

Threat Analytics in HA

In HA mode, only the primary node is connected to FortiWeb Cloud Threat Analytics and then the certification and syslog configurations are synchronized to the secondary. This workflow is designed to prevent HA synchronization issues that can arise with having both the primary and secondary nodes connect to the FortiWeb Cloud at the same time. As only the primary node is connected to FortiWeb Cloud, the Threat Analytics status in the secondary node will show as "disconnected".

Threat Analytics troubleshooting and debugging

You can use the following tools to diagnose and troubleshoot Threat Analytics issues in FortiADC

Threat Anaytics connector

When you enable the threat analytics connector, the Threat Analytics service license status will display.

The and icons indicate whether the Threat Analytics connector has successfully connected to the FortiWeb Cloud server. If the connection is down , FortiADC will first perform an inspection of the Threat Analytics license status to determine whether the connection issue is caused by an invalid license. If a valid Threat Analytics license exists, then further troubleshooting may be required to determine the root cause of the Threat Analytics connection issue.

License Status

Description

0

No license

1

Advanced license

2

Standard license, has not enabled threat analytics before

3

Standard license, has enabled threat analytics before, has not expired.

4

Standard license, expired.

CLI commands to debug logs relating to Threat Analytics
Command Guidelines
diagnose debug module wassd

To view the debug informatio of he wassd daemon.

The wassd daemon forms the connection between FortiADC and FortiWeb Cloud and performs several integral functions when Threat Analytics is enabled. This includes the following:

• Establishing a web socket connection with the FortiWeb Cloud using a token. The wassd identifies whether a CA exists before registering to theFortiWeb Cloud. If a CA does exist, then the wassd will send the issue date of the CA certificate to the FortiWeb Cloud.

• Updating FortiWeb Cloud with FortiADC configuration changes, such as HA status changes, member updates, or mode modification.

• Updating device certificates received from the FortiWeb Cloud. lfwassd registered to the FortiWeb Cloud without the issue date of the CA or that the certificate has expired, then FortiWeb Cloud will send new certificates (including the certificate, key, and CA) to wassd. The wassd will update to the local certificate and CA table, and register to FortiWeb Cloud again with the latest CA issue date.

• Starting the forwarding of FortiADC attack logs to FortiWeb Cloud. If wassd has successfully registered to FortiWeb Cloud, then it will start the action with the log server and port from the FortiWeb Cloud.

Note:

The wassd daemon is create for Threat Analytics and executes the wassd_ws Python script when Threat Analytics is enabled. The backend log for the Python script is stored in /var/log/wassd.log

diagnose sysem threat-analytics info To view the system information for Threat Analytics

Forwarding FortiADC attack logs to Threat Analytics

Forwarding FortiADC attack logs to Threat Analytics

Through the FortiADC integration with FortiWeb Cloud Threat Analytics, you can forward FortiADC attack logs to FortiWeb Cloud where the Al-based Threat Analytics engine identifies unknown attack patterns by parsing through all FortiADC attack logs and then aggregating similar or related attack logs into single incidents. This allows you to use these identified attack patterns to protect your application against the identified threats.

Prerequisites for using Threat Analytics for FortiADC attack logs:

  • You must have a valid Threat Analytics service license.

  • You must have the Threat Analytics service enabled in FortiADC.

Please note that when your license expires or becomes invalid, the log forwarding will stop immediately regardless of whether the Threat Analytics service is enabled.

14-Day Evaluation license

A 14-day Evaluation license is offered to customers who would want to evaluate the Threat Analytics service. This 14- day Evaluation license can only be used once. To activate the 14-day Evaluation license, enable Threat Analytics connector from Security Fabric > Fabric Connectors. During this 14-day trial period, you can disable and re-enable Threat Analytics anytime. The 14-day trial period starts from the first time Threat Analytics is enabled. When you are ready to purchase the full license with the Threat Analytics service, contact the Fortinet Sales team.

To enable Threat Analytics:

  1. Register the license with the Threat Analytics feature on the Support site: HTTPs://support.fortinet.com
  2. Log in to FortiADC.
  3. In the Dashboard > Status License widget, check the status ofThreat Analytics. The status should be displayed as Valid.

  4. Go to Security Fabric > Fabric Connectors. Under Other Fortinet Products section, locate the Threat Analytics connector.

  5. Enable Threat Analytics.

    GUI

    Go to Security Fabric > Fabric Connectors and enable the Threat Analytics connector.

  6. CLI

    config system global

    set threat-analytics enable

    set threat-analytics-authrul <auth-url>

    end

    If you do not have an active Threat Analytics contract, you will receive the following message:

  7. Once the Threat Analytics connector successfully connects FortiADC to the FortiWeb Cloud Threat Analytics service, a new local certificate and CA will be created. Check the certificates and CA to ensure they are present.

    1. Go to System > Manage Certificates to locate the new local certificate with the name Threat_analytics_cert_<date_of_today>.

    2. Go to System > Verify to locate the new CA with the name Threat_analytics_CA_<date_of_today>.

    3. A new syslog global_remote server will be created with the FQDN address type and with the comment "fweb_cloud".
  8. Wait to allow FortiADC to generate attack logs and forward them to FortiWeb Cloud.
  9. Log In to FortiWeb Cloud with the account you used when registering your license on the Fortinet Support site.

Do not delete of modify the syslog remote and certificate/CA entry. Threat Analytics cannot be functional without these configurations.

Threat Analytics in VDOM

When Threat Analytics is enabled in VDOMs, Override in the Syslog Server configuration will be disabled in order to use the global syslog server. If you have previously enabled Override in the Syslog Server configuration, then the default global syslog server list would be removed and you may use a new syslog server list specifically defined in the VDOM. By default, the new syslog remote server would also be created in all the VDOMs with Threat Analytics enabled, which disables Override in order to use the global syslog server. When Threat Analytics is enabled, it will always use the global or root DNS, and not the VDOM's DNS.

Threat Analytics in HA

In HA mode, only the primary node is connected to FortiWeb Cloud Threat Analytics and then the certification and syslog configurations are synchronized to the secondary. This workflow is designed to prevent HA synchronization issues that can arise with having both the primary and secondary nodes connect to the FortiWeb Cloud at the same time. As only the primary node is connected to FortiWeb Cloud, the Threat Analytics status in the secondary node will show as "disconnected".

Threat Analytics troubleshooting and debugging

You can use the following tools to diagnose and troubleshoot Threat Analytics issues in FortiADC

Threat Anaytics connector

When you enable the threat analytics connector, the Threat Analytics service license status will display.

The and icons indicate whether the Threat Analytics connector has successfully connected to the FortiWeb Cloud server. If the connection is down , FortiADC will first perform an inspection of the Threat Analytics license status to determine whether the connection issue is caused by an invalid license. If a valid Threat Analytics license exists, then further troubleshooting may be required to determine the root cause of the Threat Analytics connection issue.

License Status

Description

0

No license

1

Advanced license

2

Standard license, has not enabled threat analytics before

3

Standard license, has enabled threat analytics before, has not expired.

4

Standard license, expired.

CLI commands to debug logs relating to Threat Analytics
Command Guidelines
diagnose debug module wassd

To view the debug informatio of he wassd daemon.

The wassd daemon forms the connection between FortiADC and FortiWeb Cloud and performs several integral functions when Threat Analytics is enabled. This includes the following:

• Establishing a web socket connection with the FortiWeb Cloud using a token. The wassd identifies whether a CA exists before registering to theFortiWeb Cloud. If a CA does exist, then the wassd will send the issue date of the CA certificate to the FortiWeb Cloud.

• Updating FortiWeb Cloud with FortiADC configuration changes, such as HA status changes, member updates, or mode modification.

• Updating device certificates received from the FortiWeb Cloud. lfwassd registered to the FortiWeb Cloud without the issue date of the CA or that the certificate has expired, then FortiWeb Cloud will send new certificates (including the certificate, key, and CA) to wassd. The wassd will update to the local certificate and CA table, and register to FortiWeb Cloud again with the latest CA issue date.

• Starting the forwarding of FortiADC attack logs to FortiWeb Cloud. If wassd has successfully registered to FortiWeb Cloud, then it will start the action with the log server and port from the FortiWeb Cloud.

Note:

The wassd daemon is create for Threat Analytics and executes the wassd_ws Python script when Threat Analytics is enabled. The backend log for the Python script is stored in /var/log/wassd.log

diagnose sysem threat-analytics info To view the system information for Threat Analytics