Configuration options for Fortinet
Review configuration options for Fortinet firewalls in RocketCyber
|
Fortiguard block events |
Fortiguard is Fortinet's heuristic for predicting what traffic should be blocked. FortiGuard block events often have lower noise than allow events, since they only occur when the firewall believes something is wrong (whereas allow events will be extremely common even if all traffic is legitimate). |
|
ActiveX allow events |
ActiveX is bad. Kill it with fire. |
|
Intrusion attempts (both) |
The two intrusion attempt categories handle different situations, so it is advised that both stay enabled |
|
Antivirus alerts |
Firewall AV is the first chance to catch a virus entering your network. It is important to stay informed of this attack vector |
|
Reputation lookup on connecting IPs |
This will monitor traffic and inform you only of unexpected traffic or traffic coming from unusual locations (e.g. countries on the Enabled Countries list). |
Log Format
The expected format for Fortinet logs is space-separated. For example
EXAMPLE <189>date=2019-12-23 time=11:52:21 devname="FG2AAAA802121" devid="FG2AAAA802121" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1577123541 srcip=192.168.10.201 srcport=52770 srcintf="port1" srcintfrole="lan" dstip=216.78.197.170 dstport=443 dstintf="wan1" dstintfrole="wan" poluuid="7457ac76-f7a7-51e5-41cd-55962f7d7c0a" sessionid=179748073 proto=6 action="close" policyid=1 policytype="policy" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=97.107.127.97 transport=52770 appid=42577 app="Google.Services" appcat="General.Interest" apprisk="elevated" applist="default" duration=551 sentbyte=37898 rcvdbyte=329224 sentpkt=208 rcvdpkt=441 utmaction="allow" countweb=1 countapp=1 sentdelta=461 rcvddelta=278 devtype="Router/NAT Device" devcategory="None" mastersrcmac="02:04:96:aa:aa:bb" srcmac="02:04:96:aa:aa:cc" srcserver=0
