Change Fortigate field assignment to allow for aggregation

Idea ID 2768531

Change Fortigate field assignment to allow for aggregation

0 Votes

The Fortinet Fortigate parser puts both quantities and IDs in the deviceCustomNumber fields depending on the type of event. This keeps Fortigate events, which are high-volume, from being aggregated. If a number field has a quantity, it needs to be put in the list of fields to sum. If it's an ID then it needs to go into the fields to aggregate. Since all events have to be aggregated the same way, this keeps events from being aggregated.

More detail:

For most of the event types, the device custom numbers contain quantities that can be added across aggregated events. The main mappings show:

Device Custom Number 1 duration
Device Custom Number 2 One of (sentpkt, sent_pkt) (Packets Sent)
Device Custom Number 3 One of (rcvdpkt, rcvd_pkt) (Packets Received)

These can all be specified in the Fields to Sum.

In the Fortigate UTM section, though, ID numbers are put in custom numbers 2 and 3. These are not quantities, just identifiers and they cannot be used in the Fields to Sum or the values will be lost in addition. These and other similar fields should be moved to custom string or other non-numeric fields so that the events can be aggregated.

Device Custom Number 2 One of (sessionid, session_id) (Session ID)
Device Custom Number 3 policy_id (Policy ID)
So to summarize, if aggregation is done with the current mappings, you either lose the quantities in events that have them or the IDs in the events that have those. The ID mappings should be moved to string fields.

 

1 Comment
Micro Focus Contributor
Micro Focus Contributor
Status changed to: Waiting for Votes
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.