Fortinet FortiGate Content Pack
Fortinet's FortiGate is a next-generation firewall that covers both traditional and wireless traffic. The hardware-based firewall can function as an IPS and include SSL inspection and web filtering. This technology pack will process Fortinet FortiGate event log messages, providing normalization and enrichment of common events of interest.
Supported Versions
-
Fortinet FortiGate running FortiOS Version 7.0 or later
Requirements
-
Graylog Server with a valid Enterprise license, running Graylog version 4.2.5 or later
-
Configure Fortinet FortiGate to transmit Syslog to your Graylog server Syslog input
Stream Configuration
This technology pack includes 1 stream:
- "Illuminate:Fortigate Messages"
Index Set Configuration
This technology pack includes 1 index set definition:
- "Fortinet Event Log Messages"
Log Collection
Configure your Fortinet FortiGate device(s) following the instructions in the Graylog Syslog Inputs guide using TCP as the transport and format BSD.
Log Format Example
date=2021-06-22 time=14:32:46 devname="ABCD-EFG-HIK-LMN-202-87-35-206" devid="FGA20E5Q16027714" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1624352568074022779 tz="+0530" srcip=x.x.x.x srcport=50198 srcintf="wan1" srcintfrole="wan" dstip=2.2.2.2 dstport=4510 dstintf="wan2" dstintfrole="wan" sessionid=2912907682 proto=6 action="close" policyid=32 policytype="policy" poluuid="5b3cd3ef-0fd0-51e7-1222-9c9e72bdfbba" service="4510" dstcountry="India" srccountry="India" trandisp="dnat" tranip=1.1.1.1 tranport=4510 duration=62 sentbyte=2049 rcvdbyte=2703 sentpkt=12 rcvdpkt=11 appcat="unscanned"
What is Provided
-
Rules to parse, normalize, and enrich Fortinet FortiGate Content Pack messages
-
Traffic event processing (forward, local, multicast, SSL) with network connection categorization and event_action normalization
-
UTM security event processing: IPS, application control, virus, web filter, anomaly detection, DLP, DNS filtering, email filtering, WAF, SSH inspection, and file filtering
-
VPN event processing (SSL-VPN and IPsec) with logon/logoff categorization for tunnel-up and tunnel-down events
-
User authentication event processing (RADIUS, LDAP, FSSO) with success/failure outcome mapping
-
System administration login event processing
-
DHCP event processing with specific logid-based categorization (request, offer, acknowledgement)
-
Network direction normalization via lookup table
-
Alert severity mapping from FortiGate severity to GIM severity levels
-
Graylog Information Model (GIM) message categorization with enforcement fields
-
A Fortinet FortiGate Spotlight content pack
GIM Categorization
GIM categorization is provided for the following messages:
GIM Categorization ▼
| fortigate_subtype | gim_event_type_code | gim_event_category | gim_event_class | gim_event_subcategory | gim_event_type |
|---|---|---|---|---|---|
| forward | 120000 | network | network.network connection | network connection | |
| multicast | 120000 | network | network.network connection | network connection | |
| local | 120000 | network | network.network connection | network connection | |
| ssl | 120000 | network | network.network connection | network connection | |
| voip | 120000 | network | network.network connection | network connection | |
| icap | 120000 | network | network.network connection | network connection | |
| cifs | 120000 | network | network.network connection | network connection | |
| sniffer | 129999 | network | network.default | network message | |
| webfilter | 180200 | http | protocol | http.communication | http communication |
| virus | 301000 | detection | detection.host_detection | host_malware_detection | |
| anomaly | 300001 | detection | detection.network_detection | network_detection | |
| ips | 300001 | detection | detection.network_detection | network_detection | |
| signature | 300001 | detection | detection.network_detection | network_detection | |
| app-ctrl | 300001 | detection | detection.network_detection | network_detection | |
| dlp | 300002 | detection | detection.network_detection | network_dlp_detection | |
| dns (query) | 140000 | name resolution | protocol | name resolution.dns request | dns query |
| dns (response) | 140200 | name resolution | protocol | name resolution.dns answer | dns response |
| dns (default) | 149999 | name resolution | protocol | name resolution.default | dns message |
| emailfilter | 139999 | messaging | messaging.default | message | |
| spamfilter | 139999 | messaging | messaging.default | message | |
| waf | 300001 | detection | detection.network_detection | network_detection | |
| ssh | 300001 | detection | detection.network_detection | network_detection | |
| file-filter | 300001 | detection | detection.network_detection | network_detection | |
| vpn (tunnel-up) | 100000 + 100500 | authentication | authentication.logon | logon + credential validation | |
| vpn (tunnel-down) | 102500 | authentication | authentication.logoff | logoff | |
| user (success) | 100000 + 100500 | authentication | authentication.logon | logon + credential validation | |
| user (failure) | 100000 | authentication | authentication.logon | logon | |
| system (login) | 100000 | authentication | authentication.logon | logon | |
| wireless | 129999 | network | network.default | network message | |
| 0100026001 | 290300 | dhcp | protocol | dhcp.acknowledgement | dhcp acknowledgement |
| 0104043666 | 290100 | dhcp | protocol | dhcp.offer | dhcp offer |
| 0104043664 | 290000 | dhcp | protocol | dhcp.request | dhcp request |
Message Fields Included in This Pack
Parsed Fields
This pack will apply normalization to common fields that are present in all Fortinet FortiGate event logs.
Parsed Fields ▼
| Fortigate Source Property | Normalized Field Name |
|---|---|
| action | vendor_action |
| addr | vendor_address |
| agent | http_user_agent |
| ap | vendor_ap |
| app | application_name |
| appcat | vendor_application_category |
| appid | vendor_application_id |
| applist | vendor_application_list |
| apprisk | vendor_threat_suspected |
| attachment | vendor_attachment |
| attack | vendor_alert_category |
| attackid | vendor_attackid |
| cfgattr | vendor_configuration_attribute |
| cfgobj | vendor_configuration_setting |
| cfgpath | vendor_configuration_path |
| cfgtid | vendor_configuration_id |
| channel | wifi_channel |
| count | vendor_count |
| countapp | vendor_number_of_associated_app_ctrl_logs |
| countav | vendor_number_of_associated_av_logs |
| craction | vendor_threat_weight_action |
| crlevel | vendor_threat_weight_level |
| crscore | vendor_threat_weight_score |
| cve | cve_number |
| date | vendor_date |
| devid | event_observer_id |
| devname | vendor_devname |
| devtype | vendor_source_device_type |
| direction | vendor_direction |
| dst_host | destination_host |
| dstcountry | vendor_destination_country |
| dstdevtype | vendor_destination_device_type |
| dstepid | vendor_destination_endpoint_id |
| dsthwvendor | vendor_destination_hw_interface |
| dstintfrole | vendor_destination_interface_role |
| dstip | destination_ip |
| dstmac | destination_mac |
| dstname | vendor_destination_name |
| dstosname | vendor_destination_os_name |
| dstport | destination_port |
| dstserver | vendor_destination_server |
| dtime | event_created |
| dtype | vendor_dtype |
| duration | event_duration |
| dvid | vendor_device_id |
| encryption | wifi_encryption |
| epid | vendor_endpoint_id |
| euid | vendor_enduser_id |
| eventtime | vendor_eventtime |
| eventtype | vendor_eventtype |
| fctemssn | vendor_client_endpoint_ssn |
| fctuid | vendor_client_user_id |
| filename | file_name |
| filetype | file_type |
| from | source_user_email |
| hostname | destination_domain |
| icmpcode | vendor_icmpcode |
| icmpid | vendor_icmpid |
| icmptype | vendor_icmptype |
| id | vendor_id |
| idseq | event_uid |
| ipaddr | dns_value |
| itime | event_received_time |
| itime_t | vendor_log_received |
| lanin | vendor_incoming_lantraffic_bytes |
| lanout | vendor_outgoing_lantraffic_bytes |
| locip | local_ip |
| logdesc | vendor_logdesc |
| logid | event_id |
| mastersrcmac | vendor_source_master_mac |
| method | vendor_method |
| msg | vendor_msg |
| osname | vendor_source_os_name |
| policyid | policy_id |
| policyname | policy_name |
| policytype | policy_type |
| poluuid | policy_uid |
| pri | vendor_pri |
| profile | vendor_profile |
| proto | vendor_proto |
| qclass | query_class |
| qname | query_request |
| qtype | query_record_type |
| qtypeval | query_record_type_code |
| quarskip | vendor_quarskip |
| rcvdbyte | destination_bytes_sent |
| rcvdpkt | destination_packets_sent |
| reason | vendor_reason |
| ref | vendor_reference_url |
| remip | remote_ip |
| remotewtptime | vendor_remote_wifi_radius_authentication_time |
| security | vendor_security |
| sender | http_sender |
| sentbyte | source_bytes_sent |
| sentpkt | source_packets_sent |
| service | network_application |
| sessionid | session_id |
| severity | vendor_severity |
| sn | vendor_sn |
| srccountry | vendor_source_country |
| srcdomain | vendor_srcdomain |
| srchwvendor | vendor_source_hw_interface |
| srcintf | network_interface_in |
| srcintfrole | vendor_source_interface_role |
| srcip | source_ip |
| srcmac | source_mac |
| srcname | vendor_source_name |
| srcport | source_port |
| srcserver | vendor_source_server |
| srcuuid | vendor_source_uuid |
| ssid | wifi_ssid |
| stamac | host_mac |
| status | vendor_status |
| subject | vendor_subject |
| subtype | vendor_subtype |
| threat | threat_category |
| time | vendor_time |
| to | destination_user_email |
| trandisp | vendor_nat_translation_type |
| tranip | vendor_tranip |
| tranport | vendor_tranport |
| transip | vendor_transip |
| transport | vendor_transport |
| tunnelip | tunnel_ip |
| type | vendor_type |
| tz | vendor_time_zone |
| ui | vendor_ui |
| url | http_url |
| user | user_name |
| utmaction | vendor_utm_action |
| utmref | vendor_reference_to_utm |
| vap | wifi_virtual_access_point |
| vd | virtual_domain_name |
| vendor_hostname | host_hostname |
| virus | vendor_virus |
| viruscat | vendor_viruscat |
| virusid | vendor_virusid |
| vrf | vendor_virtual_routing_and_forwarding |
| wanin | vendor_incoming_wantraffic_bytes |
| wanout | vendor_outgoing_wantraffic_bytes |
Event Enrichment
The following fields are added to all Fortinet FortiGate event messages:
Event Enrichment ▼
| Field Name | Description |
|---|---|
| alert_severity | Text description of the alert severity for detection events (virus, anomaly, ips, signature, app-ctrl) |
| destination_reference | Mapped from source_ip or source_hostname in that order |
| event_severity | Text description of the severity rating of the event |
| event_severity_level | Numeric representation of the severity rating of the event |
| event_source | Source system that generated the event |
| host_reference | Mapped from host_ip or host_hostname in that order - allows a common field to reference for messages that do not provide both |
| network_direction | Normalized network traffic direction (inbound, outbound, lateral) mapped from the FortiGate direction field |
| source_reference | Mapped from source_ip or source_hostname in that order |
| vendor_event_severity_level | Vendor-defined numeric severity rating for the event |
| vendor_full_url | The normalized full url based on combination of destination_domain and http_url |
| alert_category | Threat category for detection events (virus type, attack name, subtype fallback) |
| alert_severity_level | Numeric alert severity level mapped from FortiGate severity |
| alert_signature | Threat or rule name for detection events |
| event_action | Normalized action (allowed/blocked) mapped from FortiGate action field |
| event_outcome | Authentication outcome (success/failure) for VPN and user authentication events |
| application_name | Application or service name for authentication events (VPN tunnel type, auth server) |
| service_name | Service name for service start/stop events |
Fortinet FortiGate Spotlight Content Pack
The Fortinet FortiGate Spotlight Pack offers an overview dashboard with the following tabs:
Overview
DNS
Application Control
Virus
