Highlighted
Absent Member.
Absent Member.
1161 views

FLex for Fortinet - Fortigate

Hello,

I'm installing a logger to collect Firewall logs/event. I collect log about fortigate but with syslog collector it's dirty...

Is someone has works on a flex for fortigate ?

Thanks.

Jo.

0 Likes
9 Replies
Highlighted
Absent Member.
Absent Member.

Re: FLex for Fortinet - Fortigate

Have you been able parse your events like you want?

Im also interested by all the utm  (webfiltering, IPS, antivirus) stuff from Fortigate if someone have a flex.

Im trying to write a stable flex connector for Fortimail, i will post it when it will be done!

0 Likes
Highlighted
New Member.

Re: FLex for Fortinet - Fortigate

time will come when there will be no smart connector available with arcsight for the device integration.

we have migrated firewall to fortinet 5.0, checkpoint R76, NIps macfe 7.5, smtp mail gateway 10.0 non of the product is supported by arcsight.

if you have any flex on the above product pse share it

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: FLex for Fortinet - Fortigate

0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: FLex for Fortinet - Fortigate

Hi,

  I am using Fortigate 5.2 and I am using syslog collector.  The parsing is ok but you need to add some map files to categorize the content properly.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
Highlighted
New Member.

Re: FLex for Fortinet - Fortigate

could you please share your map file?

We have a issue here,

Fortigate parser categorize events as outcome=/Success, but in the raw logs it's a deny 😕

This is an error in the parser I think.

ArcSight categorizz events as Success, but using Fortigate console, we see that events are denied and not... success...

Do you have any idea???

0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: FLex for Fortinet - Fortigate

Hi

Can you provide more info about the events you say are not categorized properly such as which deviceEventClassId is related to wrongly categorized events?

Regards,

Michel

0 Likes
Highlighted
New Member.

Re: FLex for Fortinet - Fortigate

Hi Michel,

I'm on dayoff until Monday.

I could show you some sample on Monday.

But the real problem is that on the firewall itself logs are sent as deny and on ArcSight it appears as Accept 😕

Let see in Monday the logs 🙂

0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: FLex for Fortinet - Fortigate

Hi,

I posted my map files.

Look for  'Fortinet_maps.zip' in Protect724.

Thanks.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: FLex for Fortinet - Fortigate

How to use your mapping file??? I unzipped it and it has a couple of properties file. Do i need to import them in ESM?

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.