Fortinet black logo

Palo Alto Networks Integration

Home FortiNAC-F 7.2.0 Palo Alto Networks Integration
7.2.0
7.4.0
7.2.0

Syslog Management

Syslog Management

How it Works

Automated response by FortiNAC to Syslog messaging sent by the Palo Alto firewall is

achieved through the following steps:

  1. Firewall sends a Syslog message to FortiNAC.

  2. FortiNAC parses the Syslog information based on pre-defined Syslog Files stored in FortiNAC’s database.

  3. FortiNAC generates an event that can contain any or all of the fields included in the message. The event generated (High Violation, Medium Violation or Low Violation) is dependent upon the Severity Value associated with the received message.

    Note: If a Syslog message is received for a host that has more than one adapter, an event is generated for each adapter. Therefore, a single host could generate multiple events and alarms.

  4. FortiNAC attempts to identify the host that is the target of the event. This is done by resolving the source IP address in the message to a MAC address in FortiNAC’s database through L3 Polling.

    1. If the IP address is not able to be resolved, the event is held in memory until an associated host can be found.

    2. Once an associated host is found, the event is printed and searchable under the Events view of the Administrative UI.

  5. If the Event is mapped to an Alarm, FortiNAC takes action based on the alarm configuration. The actions taken can range from sending an email to isolating the offending host.

Previous
Next

Syslog Management

How it Works

Automated response by FortiNAC to Syslog messaging sent by the Palo Alto firewall is

achieved through the following steps:

  1. Firewall sends a Syslog message to FortiNAC.

  2. FortiNAC parses the Syslog information based on pre-defined Syslog Files stored in FortiNAC’s database.

  3. FortiNAC generates an event that can contain any or all of the fields included in the message. The event generated (High Violation, Medium Violation or Low Violation) is dependent upon the Severity Value associated with the received message.

    Note: If a Syslog message is received for a host that has more than one adapter, an event is generated for each adapter. Therefore, a single host could generate multiple events and alarms.

  4. FortiNAC attempts to identify the host that is the target of the event. This is done by resolving the source IP address in the message to a MAC address in FortiNAC’s database through L3 Polling.

    1. If the IP address is not able to be resolved, the event is held in memory until an associated host can be found.

    2. Once an associated host is found, the event is printed and searchable under the Events view of the Administrative UI.

  5. If the Event is mapped to an Alarm, FortiNAC takes action based on the alarm configuration. The actions taken can range from sending an email to isolating the offending host.

Previous
Next