Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
aquillius.t@net Super Contributor.
Super Contributor.
612 views

Fortinet and Palo Alto Event Categorization

Hi,

I have collected logs of Fortinet Fortigate and Palo Alto and sent it to ESM. Upon investigating the logs, I found out that there is no categerization on Fortinet and Palo Alto events. Is there a way to add categorization on this? I need this as I have attached PCI-DSS module and events from Fortinet and Palo Alto were not showing due to missing categorization fields.

Please help!

Thanks,

Aqui

0 Likes
15 Replies
Knowledge Partner
Knowledge Partner

Re: Fortinet and Palo Alto Event Categorization

You probably send the logs in CEF format from firewalls. Since the parsers are embedded in the connector, you can open a support ticket and ask for the open parser or just categorization files for those products. 

I still don't know how those products can be CEF certified without categorization of the events.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Fortinet and Palo Alto Event Categorization

aquillius.t@net 
The first question I have, is: Did you apply the content aup files to your smartconnector,

if not, go to SSO, (or however the Portal for Softwaredownload is called now) get content subscription updates and apply this to your connectors.

The SC comes with an built-in caterorizer, however there seems to be a difference... see the file size in the attached image:

8214 is the aup that comes with Framework 7.10 and  8144 is what you can download from the portal.

Filesize is 39 vs 77 KB. However if you think that this would change with Framework 7.11 , you are wrong.
The Filesize for the 8239 categorizer which comes with 7.11 is again 39 KB, and filecount is 4 instead of 5.

So if you don't  license the content.aup you dont get latest categorizer.

Besides that, the build numbers are not consistent across the parser version and the download version.

 

Hope that confuses you now totally,

Cheers

A.

 

 

fortigate_categorizer.png

 

 

aquillius.t@net Super Contributor.
Super Contributor.

Re: Fortinet and Palo Alto Event Categorization

Hi Vitz1,

I have tried to open a suppor ticket regarding this and he also told me that I should download the content aup files. Apprently my SAID is not allowed to download it. Would you mind sharing me your content aup file? I think it will solve the issue. I really need this badly.

With your other question regarding what log files don't have categorization, all of fortinet and palo alto log events don't have categorization.

 

Thanks,

Aqui

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Fortinet and Palo Alto Event Categorization

SAID contract is mandatory, exchanging those aup files would violate license agreements, sorry can't share software just knowledge.

Cheers A.
Highlighted
aquillius.t@net Super Contributor.
Super Contributor.

Re: Fortinet and Palo Alto Event Categorization

Hi Vitz1,

No worries , I understand. Can you help me create a categorizer for this? I'm new on this I really don't know how to do it.

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Fortinet and Palo Alto Event Categorization

aquillius.t@net 

>>Would you mind share the numbers of the events that don't get categorized?

you were the recipient for that question... ;)

aquillius.t@net Super Contributor.
Super Contributor.

Re: Fortinet and Palo Alto Event Categorization

Hi Vitz1,

All of the events were receiving from Fortinet doesn't have event categorization.

 

Thanks,

Aqui

 

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Fortinet and Palo Alto Event Categorization

Would you mind to share numbers from the most occurring events?
I have a map file for some numbers, however it does not make sense to share it, when your device event ClassID 's are not in that set.

Cheers
A
aquillius.t@net Super Contributor.
Super Contributor.

Re: Fortinet and Palo Alto Event Categorization

Hi vitz1,

Can you share me the correct SKU for the content aup?

Thanks.

Aqui

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Fortinet and Palo Alto Event Categorization

Since Fortinet 5.4 the categorization file is not working. They changed the logs ID starting in 5.4 and Micro Focus did not update the categorization file.  I have a ticket open and been waiting for a year for them to fix it.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Fortinet and Palo Alto Event Categorization

Would you mind share the numbers of the events that don't get categorized?
aquillius.t@net Super Contributor.
Super Contributor.

Re: Fortinet and Palo Alto Event Categorization

Same here. Would you mind sharing the steps they adviced you to do? have you resolved it yourself?
0 Likes
nathanpitero Respected Contributor.
Respected Contributor.

Re: Fortinet and Palo Alto Event Categorization

Hi vitz1,

I am colleague of Aquillius in Netpoleon. Attached here is the sample extracted logs of fortinet firewall for your reference

EDITED:   The attached file has been removed as it contains confidential information.   If needed for troubleshooting, consider transferring the file via email or other non-public means.

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Fortinet and Palo Alto Event Categorization

Start with updating the connector - version 7.6 is old.

I would recommend to delete this zip file, it is publicly availble to the internet.

 

**Edit: I have requested the mods to delete the file.

As above, recommend to upgrade to latest connector 7.11 and update here if there are still issues.

Thanks

 

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.