FortiSIEM Authentication Server Configuration

Leave a reply

Authentication Server Configuration

AccelOps supports these authentication servers for discovery and monitoring.

Cisco Access Control Server (ACS) Configuration

Microsoft Internet Authentication Server (IAS) Configuration

Juniper Networks Steel-Belted RADIUS Configuration

Vasco DigiPass Configuration

CyberArk Password Vault Configuration

Cisco Access Control Server (ACS) Configuration

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

Enable DCOM Permissions for the Monitoring Account

Creating a User Who Belongs to the Domain Administrator Group

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

Enable the Monitoring Account to Access the Monitored Device

Enable DCOM Permissions for the Monitoring Account

Enable Account Privileges in WMI

Allow WMI to Connect Through the Windows Firewall (Windows 2003)

Allow WMI through Windows Firewall (Windows Server 2008, 2012) Syslog

Settings for Access Credentials

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type Process level CPU utilization, Memory utilization Performance Monitoring
WMI Application type, service mappings Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write

I/O

 Performance Monitoring
Syslog Application type Successful and Failed Authentications, Successful and Failed administrative logons, RADIUS accounting logs Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “cisco secure acs” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

  1. Log into the device you want to enable SNMP for as an administrator.
  2. Go to Control Panel >Program and Features.
  3. Click Turn Windows features on or off .
  4. If you are installing on a Windows 7 device, select Simple Network Management Protocol (SNMP).

If you are installing on a Windows 2008 device, in the Server Manager window, go to Features > Add features > SNMP Services.

  1. If necessary, select SNMP to enable the service.
  2. Go to Programs > Administrative Tools > Services.
  3. to set the SNMP community string and include AccelOps in the list of hosts that can access this server via SNMP.
  4. Select SNMP Service and right-click Properties.
  5. Set the community string to public.
  6. Go to the Security tab and enter the AccelOps IP Address.
  7. Restart the SNMP service.

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
  2. Right-click Users and select Add User.
  3. Create a user.
  4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
  5. In the Distributed COM Users Properties dialog, click Add.
  6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

  1. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
  2. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
  3. Go to Start > Control Panel > Administrative Tools > Component Services.
  4. Right-click My Computer, and then Properties.
  5. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  6. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  7. Click OK.
  8. Under Access Permissions, click EditDefault.
  9. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  10. Click
  11. Under Launch and Activation Permissions, click Edit Limits.
  12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  13. Click OK.
  14. Under Launch and Activation Permissions, click Edit Defaults.
  15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

  1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
  2. Right-click Users and select Add User.
  3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

  1. Go to Groups, right-click Administrators, and then click Add to Group.
  2. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
  3. For Enter the object names to select, enter the user you created in step 3.
  4. Click OK to close the Domain Admins Properties dialog.
  5. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then select Properties.
  3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
  4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  5. Click OK.
  6. In the Com Security tab, under Access Permissions, click Edit Defaults.
  7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  8. Click OK.
  9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
  10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
  12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
  2. Select WMI Control, and then right-click and select Properties.
  3. Select the Security
  4. Expand the Root directory and select CIMV2.
  5. Click Security.
  6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
  7. Click Advanced.
  8. Select the user you created for the monitoring account, and then click Edit.
  9. In the Apply onto menu, select This namespace and subnamespaces.
  10. Click OK to close the Permission Entry for CIMV2 dialog.
  11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
  12. In the left-hand navigation, under Services and Applications, select Services.
  13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
  14. In the Start menu, select Run.
  15. Run msc.
  16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
  17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
  • Select Windows Firewall: Allow remote administration exception.
  1. Run exe and enter these commands:
  2. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK.

Syslog

  1. Log in to your Cisco Access Controls Server as an administrator.
  2. Go to Start > All Programs > CiscoSecure ACS v4.1 > ACS Admin.
  3. In the left-hand navigation, click System Configuration, then click Logging.
  4. Select Syslog for Failed Attempts, Passed Authentication, and RADIUS Accounting to send these reports to AccelOps.
  5. For each of these reports, click Configure under CSV, and select the following attributes to include in the CSV output.
Report CSV Attributes
Failed Attempts Message-Type

User-Name

NAS-IP-Address

Authen-Failure-Code

Author-Failure-Code

Caller-ID

NAS-Port

Author-Date

Group-Name

Filter Information

Access Device

AAA Server
Passed Authentication Message-Type

User-Name

NAS-IP-Address

Authen-Failure-Code

Author-Failure-Code

Caller-ID

NAS-Port

Author-Date

Group-Name

Filter Information

Access Device

AAA Server

Proxy-IP-Address

Source-NAS

PEAP/EAP-FAST-Clear-Name

Real Name
RADIUS Accounting User-Name

NAS-IP-Address

NAS-Port

Group-Name

Service-Type

Framed-Protocol

Framed-IP-Address

Calling-Station-Id

Acct-Status-Type

Acct-Input-Octets

Acct-Output-Octets

Acct-Session-Id

Acct-Session-Time Acct-Input-Packets

Acct-Output-Packets
  1. For each of these reports, click Configure under Syslog, and for Syslog Server, enter the IP address of the AccelOps virtual appliance that will receive the syslogs as the syslog server, enter 514 for Port, and set Max message length to 1024.
  2. To make sure your changes take effect, go to System Configuration > Service Control, and click Restart ACS.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure. Settings for Access Credentials

Microsoft Internet Authentication Server (IAS) Configuration

What is Discovered and Monitored

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group Syslog

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 WMI      
 Syslog      

Event Types

In CMDB > Event Types, search for “microsoft isa” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
  2. Right-click Users and select Add User.
  3. Create a user.
  4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
  5. In the Distributed COM Users Properties dialog, click Add.
  6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

  1. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
  2. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
  3. Go to Start > Control Panel > Administrative Tools > Component Services.
  4. Right-click My Computer, and then Properties.
  5. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  6. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  7. Click OK.
  8. Under Access Permissions, click EditDefault.
  9. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  10. Click
  11. Under Launch and Activation Permissions, click Edit Limits.
  12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  13. Click OK.
  14. Under Launch and Activation Permissions, click Edit Defaults.
  15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

  1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
  2. Right-click Users and select Add User.
  3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

  1. Go to Groups, right-click Administrators, and then click Add to Group.
  2. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
  3. For Enter the object names to select, enter the user you created in step 3.
  4. Click OK to close the Domain Admins Properties dialog.
  5. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then select Properties.
  3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
  4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  5. Click OK.
  6. In the Com Security tab, under Access Permissions, click Edit Defaults.
  7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  8. Click OK.
  9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
  10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
  12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
  2. Select WMI Control, and then right-click and select Properties.
  3. Select the Security
  4. Expand the Root directory and select CIMV2.
  5. Click Security.
  6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
  7. Click Advanced.
  8. Select the user you created for the monitoring account, and then click Edit.
  9. In the Apply onto menu, select This namespace and subnamespaces.
  10. Click OK to close the Permission Entry for CIMV2 dialog.
  11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
  12. In the left-hand navigation, under Services and Applications, select Services.
  13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
  14. In the Start menu, select Run.
  15. Run msc.
  16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
  17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
  18. Select Windows Firewall: Allow remote administration exception.
  19. Run exe and enter these commands:
  20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

You need to configure your Microsoft Internet Authentication Server to save logs, and then you can use the Windows Agent Manager to configure the type of log information you want sent to AccelOps.

  1. Log in to your server as an administrator.
  2. Go to Start > Administrative Tools > Internet Authentication Service.
  3. In the left-hand navigation, select Remote Access Logging, then select Local File.
  4. Right-click on Local File to open the Properties menu, and then select Log File.
  5. For Directory, enter C:\WINDOWS\system32\LogFiles\IAS.
  6. Click OK.

You can now use Windows Agent Manager to configure what information will be sent to AccelOps.

 

Juniper Networks Steel-Belted RADIUS Configuration

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Application type Process level CPU utilization, Memory utilization Performance Monitoring
WMI Application type, service mappings Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write

I/O

 Performance Monitoring
Syslog Application type Successful and Failed Authentications, Successful and Failed administrative logons, RADIUS accounting logs Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “Juniper Steel-Belted RADIUS” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Syslog

  1. Login as administrator
  2. Install and configure Epilog application to convert log files written by Steelbelted RADIUS server into syslogs for sending to AccelOps
    1. Download Epilog from Epilog download site and install it on your Windows Server.
    2. Launch Epilog from StartAll ProgramsInterSect AllianceEpilog for windows

 

  1. Configure Epilog application as follows
    1. Select Log Configuration on left hand panel, click Add button to add log files whose content needs to be sent to AccelOps. These log files are written by the Steelbelted RADIUS server and their paths are correct. Also make sure the Log Type is SteelbeltedLog.

 

  1. Select Network Configuration on left hand panel. On the right, set the destination address to that of AccelOps server, port to 514 and make sure that syslog header is enabled. Then click Change Configuration button.

 

  • Click the “Apply the latest audit configuration” link on the left hand side to apply the changes to Epilog applications. DHCP logs will now sent to AccelOps in real time.

Vasco DigiPass Configuration

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
Syslog   Successful and Failed Authentications, Successful and Failed administrative logons Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “Vasco DigiPass” in the Device Type column to see the event types associated with this device. Some important ones are

Vasco-DigiPass-KeyServer-AdminLogon-Success

Vasco-DigiPass-KeyServer-UserAuth-Success

Vasco-DigiPass-KeyServer-UserAuth-Failed

Vasco-DigiPass-KeyServer-AccountLocked

Vasco-DigiPass-KeyServer-AccountUnlocked

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Configure the Vasco DigiPass management Console to send syslog to AccelOps. AccelOps is going to parse the logs automatically. Make sure the syslog format is as follows.

May 16 18:21:50 vascoservername ikeyserver[3575]: {Success}, {Administration}, {S-001003}, {A command of type [User] [Unlock] was successful.}, {0xA46B6230BA60B240CE48011B0C30D393}, {Source Location:10.1.2.3}, {Client Location:10.1.2.3}, {User ID:flast}, {Domain:company.com}, {Input Details: {User ID : flast} {Domain Name : company.com}}, {Output Details: {User ID : flast} {Password : ********} {Created Time : 2013/05/13 19:06:52} {Modified Time : 2013/05/16 18:21:49} {Has Digipass : Unassigned} {Status : 0} {Domain Name : company.com} {Local Authentication : Default} {Back-end Authentication : Default} {Disabled : no} {Lock Count : 0} {Locked : no} {Last Password Set Time : 2013/05/13 19:06:52} {Static Password History : d0NdVMhSdvdNEQJkkKTWmiq8iB4K1dWreMf5FQlZM7U=} {Key ID : SSMINSTALLSENSITIVEKEY}}, {Object:User}, {Command:Unlock}, {Client

Type:Administration Program}

May 15 20:27:35 vascoservername ikeyserver[3575]: {Success},

{Administration}, {S-004001}, {An administrative logon was successful.},

{0x25AB20F3222F554A96CFFD2886AE4C71}, {Source Location:10.1.2.3},

{Client Location:10.1.2.3}, {User ID:admin}, {Domain:company.com},

{Client Type:Administration Program}

May 17 18:43:22 vascoservername ikeyserver[3582]: {Info}, {Initialization}, {I-002010}, {The SOAP protocol handler has been initialized successfully.}, {0x0E736D24D54E717E6F5DA6C09E89F8EE}, {Version:3.4.7.115}, {Configuration Details:IP-Address: 10.1.2.3, IP-Port: 8888, Supported-Cipher-Suite: HIGH, Server-Certificate:

/var/identikey/conf/certs/soap-custom.pem, Private-Key-Password:

********, CA-Certificate-Store:

/var/identikey/conf/certs/soap-ca-certificate-store.pem,

Client-Authentication-Method: none, Reverify-Client-On-Reconnect: False,

DPX-Upload-Location: /var/dpx/}


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.