Searching for Tickets from or to External Systems

This should not be client accessible!

 

Provide a brief (two to three sentence) description of the task or the context for the task.

Prerequisites

Procedure

Related Links

Prerequisites

Optional, list any information the user needs to complete the task, or any tasks they need to complete before this task.

Prerequisite 1

Prerequisite 2

Procedure

1. A step should be a single sentence telling the user what to do. Use bold for interface elements, monospace for system messages, file names, etc.

Write any results of the step or notes to the user on the line below the step. You can also insert any of the info boxes here.

2. A step should be a single sentence telling the user what to do. Use bold for interface elements, monospace for system messages, file names, etc.

Write any results of the step or notes to the user on the line below the step. You can also insert any of the info boxes here.

3. A step should be a single sentence telling the user what to do. Use bold for interface elements, monospace for system messages, file names, etc.

Write any results of the step or notes to the user on the line below the step. You can also insert any of the info boxes here.

 

Post-Requisites

Optional, list anything the user should do after completing the task.

Post-requisite

Post-requisite

Related Links

List any related topics. Do not include topics that are in the same hierarchy as this topic, as the relationship is implied by the hierarchy.

Related link 1

Related link 2

 

 

 

 

External CMDB Integration

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Integrating with External CMDB and Helpdesk SystemsTopics in this section include

FortiSIEM Integration Framework Overview

External Helpdesk System Integration

Creating Inbound Policies for Updating Ticket Status from External Ticketing Systems

Creating Outbound Policies for Creating Tickets in External Helpdesk Systems Searching for Tickets from or to External Systems

External CMDB Integration

Creating Inbound Policies for Importing Devices from an External System

Creating the CSV File for Importing Devices from External Systems

Creating Outbound Policies for Exporting CMDB Devices to External Helpdesk Systems

Setting Schedules for Receiving Information from External Systems

Using the AccelOps API to Integrate with External Systems Exporting Events to External Systems via Kafka

FortiSIEM Integration Framework Overview

The FortiSIEM integration framework provides a way for you create two-way linkages between workflow-based Help centers like ServiceNow and Connectwise, as well as external CMDBs.

The integration framework is based on creating policies for inbound and outbound communications with other systems, including sharing of incident and ticket information, and CMDB updates. Support is provided for creating policies to work with selected vendor systems, while the integration API lets you build modules to integrate with proprietary and other systems. Once you’ve created your integration policies, you can set them to execute once on a defined date and time, or on a regular schedule.

External Helpdesk System Integration

Creating Inbound Policies for Updating Ticket Status from External Ticketing Systems

Once a ticket has been opened in an external ticketing system, the status of the ticket is maintained in external system. This section shows how to synchronize the external ticket status back in FortiSIEM.

Creating a integration policy

Create an integration policy for updating FortiSIEM external ticket state and incident status.

1. Log into your FortiSIEM Supervisor with administrator credentials.
2. Go to Admin > General Settings > Integration.
3. Click Add.
4. For Type, select Incident.
5. For Direction, select Inbound.
6. For Vendor, select the vendor of the system you want to connect to. ServiceNow and ConnectWise is supported out of the box. When you select the Vendor:
   1. An Instance is created – this is the unique name for this policy. If you had 2 ServiceNow or ConnectWise installations, each would have different Instance names. You can change this instance name.
   2. A default Plugin Name is populated – this is the Java code that implements the integration including connecting to the external help desk systems and creating/updating the ticket. The plugin name is automatically populated for ServiceNow and ConnectWise. For other vendors, you have to create your own plugin and type in the plugin name here.
7. For Host/URL, enter the host name or URL of the external system.
8. For User Name and Password, enter a user name and password that the system can use to authenticate with the external system.
9. Enter the Time Window – external ticket state for tickets closed in the external help desk/workflow system during the time window specified here will be synched back.
10. Click Save.

Updating FortiSIEM external ticket state and incident status automatically on a schedule

1. Log into your FortiSIEM Supervisor with administrator credentials.
2. Go to Admin > General Settings > Integration.
3. Click Schedule and then click +
   1. Select the integration policy
   2. Select a schedule

The following fields in an FortiSIEM incident are updated

External Ticket State

Ticket State

External Cleared Time

External Resolve Time

Populating custom CMDB or extending current integration

Create a new plugin by following instructions in the FortiSIEM ServiceAPI. The document is available at FortiSIEM support portal under FortiSIEM ServiceAPI section.

 

 

 

Creating Outbound Policies for Creating Tickets in External Helpdesk Systems

This section explains how to configure FortiSIEM to create tickets in external help desk systems.

Prerequisites

Make sure you have the URL and the credentials for connecting to external help desk systems. The credentials must have sufficient permission to make changes to the Incident view.

Procedure

Creating an integration policy

1. Log into your FortiSIEM Supervisor with administrator credentials.
2. Go to Admin > General Settings > Integration.
3. Click Add.
4. For Type, select Incident.
5. For Direction, select Outbound.
6. For Vendor, select the vendor of the system you want to connect to. ServiceNow and ConnectWise is supported out of the box. When you select the Vendor:
   1. An Instance is created – this is the unique name for this policy. If you had 2 ServiceNow or ConnectWise installations, each would have different Instance names. You can change this instance name.
   2. A default Plugin Name is populated – this is the Java code that implements the integration including connecting to the external help desk systems and creating/updating the ticket. The plugin name is automatically populated for ServiceNow and ConnectWise. For other vendors, you have to create your own plugin and type in the plugin name here.
7. For Host/URL, enter the host name or URL of the external system.
8. For User Name and Password, enter a user name and password that the system can use to authenticate with the external system.
9. Enter the Maximum number of incidents to be synched with the external system at a time.
10. For Incident Comment Template, click Edit to format a string using Incident Attributes. This formatted string will be written in the ticket comment field in the external ticketing system. It works similarly as a custom email notification.
11. For Org Mapping, click Edit to create mappings between the organizations in your FortiSIEM deployment and the names of the organization in the external system.
12. ConnectWise specific field: ServiceBoard: Enter the name of the ServiceBoard where the incidents would be posted
13. Click Save.

Creating tickets automatically when incident triggers

1. Create an integration policy
2. Go to Analytics > Incident Notification Policy and create a Notification Policy.
3. For Actions, check Invoke a Notification Policy. Then Click Edit Policy and select an integration policy created in Step 1.
4. Click Save

The following fields in an FortiSIEM incident are updated after a ticket has been created in external ticketing system

External Ticket ID

External Ticket State

External User (optional)

Creating tickets automatically on a schedule

1. Log into your FortiSIEM Supervisor with administrator credentials.
2. Go to Admin > General Settings > Integration.
3. Click Schedule and then click +
   1. Select the integration policies
   2. Select a schedule

The following fields in an FortiSIEM incident are updated after a ticket has been created in external ticketing system

External Ticket ID

External Ticket State

External User (optional)

Creating tickets on-demand (one-time)

1. Log into your FortiSIEM Supervisor with administrator credentials.
2. Go to Admin > General Settings > Integration.
3. Select a specific integration policy and Click Run

The following fields in an FortiSIEM incident are updated after a ticket has been created in external ticketing system

External Ticket ID

External Ticket State

External User (optional)

Populating custom CMDB or extending current integration

Create a new plugin by following instructions in the FortiSIEM ServiceAPI. The document is available at FortiSIEM support portal under FortiSIEM ServiceAPI section.

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Managing Event Data Archive

Prerequisites

Creating Archive Destination

Creating Offline (Archive) Retention Policy

Prerequisites

Make sure you read the section on Setting Archive and Purge Policies in the topic Creating Event Database Archives before you set up your policy. It is very important that you understand how FortiSIEM moves data into the archive, and purges archived data when the archive destination storage reaches capacity, before you create your policy.

Make sure that your Archive Destination has sufficient storage for your event data + 20GB. When the archive storage reaches 20GB of capacity, FortiSIEM will begin to purge archived data, in daily increments, starting with the oldest data, to maintain a 20GB overhead.

Creating Archive Destination

1. Log in to your Supervisor node.
2. Go to Admin > Event DB Management.
3. Click Retention Policy.
4. For Archive Destination, enter the full path of the file system directory where you want your event data to be archived, and then click Ap ply.

Offline Storage Capacity for Multi-Tenant Deployments

Note that all organizations will share the same Archive Destination. For this reason, you should make sure that the archive destination has enough capacity to hold the event data for both the number of organizations and the archive retention period that you set for each. If the archive destination does not have enough storage capacity, the archive operation may fail.

Creating Offline (Archive) Retention Policy

This enables you to control which customers data stays in event data archive and for how long.

1. Log in to your Supervisor node.
2. Go to Admin > Event DB Management.
3. Click Retention Policy.
4. Under Offline Retention Policies, click New.
5. For multi-tenant installations, select the Organization for which this policy will apply.
6. For Time Period, enter the number of days that event data should be held in the offline storage before it is purged.
7. Click Save.

Managing Online Event Data

Creating Online Event Retention Policy

This enables you to control the content of online event data.

1. Log in to your Supervisor node.
2. Go to Admin > Event DB Management.
3. Click Retention Policy.
4. Under Online Retention Policies, click Add.
5. Enter the following information
   1. Enabled – Check this box if the policy has to be enforced right away.
   2. Organizations – Choose the organizations for which the policy has to be applied (for Service Provide installs)
   3. Reporting Devices – Choose the reporting devices relevant to this policy
   4. Event Type – Choose the event types or event type groups
   5. Time period – enter the number of days that event data specified by the conditions (Organizations, Reporting Devices and Event Type) should be held in the online storage before it is moved to archive or purged.
   6. Description – enter a description for the policy
6. Click Save.

Viewing Online Event Data Usage

This enables you to see a summarized view of online event data. These views enables you to manage storage more effectively by writing appropriate event dropping policies or online event retention policies.

Restoring Archived Data

Once your event data has been moved to an offline archive, you can no longer query that data from within FortiSIEM. However, you can restore it to your virtual appliance, and then proceed with any queries or analysis.

1. Log in to your Supervisor node.
2. Go to Admin > Event DB Management > Data Manager.
3. Under Reserved Restore Space (GB), enter the amount of storage space that will be reserved for the restored data.

This should be equal to or larger than the size of the archive to be restored.

4. Under Archived Data, select the archive that you want to restore.
5. Click Restore.

The archive data will be moved to the restore space and can be queried in the usual ways.

 

Validating Log Integrity

1. Security auditors can validate that archived event data has not been tampered with by using the Event Integrity function of Event DB Management.
2. Log in to your Supervisor node.
3. Go to Admin > Event DB Management > Event Integrity.
4. Select the Begin Time and End Times for the time period during which log integrity needs to be validated.
5. Click Show.

You will see a table of all the logs that are available for the specified time period

6. Use Validation Status to filter the types of logs you want to validate.
7. Select the log you want to validate, and click Validate.

A table showing the validation status of logs will be displayed.

Column	Description
Start Time	The earliest time of the messages in this file. The file does not contain messages that were received by FortiSIEM before this time.
End Time	The latest time of the messages in this file. The file does not contain messages that were received by FortiSIEM after this time.
Category	Internal: these messages were generated by FortiSIEM for its own use. This includes FortiSIEM system logs and monitoring events such as the ones that begin with PH_DEV_MON. External: these messages were received by FortiSIEM from an external system Incident: these corresponds to incidents generated by FortiSIEM
File Name	The name of the log file
Event Count	The number of events in the file
Checksum Algorithm	The checksum algorithm used for computing message integrity
Message Checksum	The value of the checksum
Validation Status	Not Validated: the event integrity has not been validated yet Successful: the event integrity has been validated and the return was success. This means that the logs in this file were not altered. Failed: the event integrity has been validated and the return was failed. This means that the logs in this file were altered. Archived: the events in this file were archived to offline storage
File Location	Local: local to Supervisor node External: means external to Supervisor node, for example on NFS storage

 

8. Click Export to create a PDF version of the validation results.

 

 

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Creating Event Database Archives

Online v. Offline Storage

Setting Purge and Archive Policies

Archive and Purge Alerts

Online v. Offline Storage

The FortiSIEM event database, eventDB, is for near-to-intermediate term storage and querying of events. As an online database, eventDB has fast query performance, but this performance comes with a limited storage capacity, and is expensive in terms of resource consumption. For these reasons, data needs to be periodically purged from eventDB and moved into offline storage, but still be available for querying for forensic analysis. FortiSIEM checks the capacity of the online EventDB storage every 30 minutes, and when approaches capacity, begins to move event information, in daily increments, into the offline storage location.

The FortiSIEM virtual appliance includes a data archiving function that enables you to define an offline storage location, and a policy for the number of days that events will be kept in online or offline storage. This archiving function also includes the ability for compliance auditors to validate logs to ensure that they haven’t been tampered with in the offline storage. The data is cryptographically signed (SHA256) at the point of entry, and the checksums are stored in the database. The check sums can be re-verified on demand at any point of time, and if the data has been tampered with, then the check sums will not match. The data integrity reports can be exported in PDF format. If the events in offline storage need to be queried at some point in the future, they can be restored to the FortiSIEM virtual appliance.

Setting Purge and Archive Policies

Online data is only moved to the archive location when online storage reaches capacity. When you set the archive policy as described in Managin g Event Data Archive, you are setting the amount of time that archived data will be retained before it is purged. For example, if you set the Data Management Policy for your deployment or an organization to 90 days, then maintenance will run every day to purge data that is over 90 days old. If there is not enough offline storage for 90 days, then archived events will be purged from offline storage to create more capacity. If there is enough storage for the 90 days, then events will only be purged after 90 days. For this reason it is very important that you set an archive location that has sufficient capacity to store the amount of data for the number of days that you specify.

For multi-tenant deployments, you can set archive policies for each organization. If one organization requires 30 days of storage, and another customer requires 90 days of storage, then FortiSIEM will attempt to enforce these policies in relation to the amount of storage available. For the first organization, events will be deleted from the archive storage location on the 31st day to free up capacity for the organization that has longer storage requirements.

As with the online EventDB data, every 30 minutes FortiSIEM will check the capacity of the offline archive storage, and when the remaining storage capacity reaches a 20GB threshold, it will begin to purge data from the archive location, beginning with the oldest data, and purging it in daily increments, until the remaining storage capacity is above 20GB.

Archive and Purge Alerts

There are several system alerts that are related to eventDB capacity and the archiving function:

Alert	Description
Online event database close to full (below 20GB)	When the database reaches a point where the remaining storage capacity is below 20GB, its contents will be purged or archived, depending on whether an archive storage location has been defined
Event Archive started	The archive process has been initiated
Event Archive failed	The archive process has failed, likely due to a lack of capacity in the offline storage location
Event Archive purged because of archive purging policy	The contents of the event archive have been purged from offline storage according to the archive purging policy
Event Archive purged because it is full	The contents of the event archive have been purged from offline storage due to capacity issues

Managing Event Data Archive

Managing Online Event Data

Restoring Archived Data Validating Log Integrity

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Importing and Exporting CMDB Report Definitions

Instead of using the user interface to define a report, you can import report definitions, or you can export a definition, modify it, and import it back into your FortiSIEM virtual appliance. Report definitions follow an XML schema.

Importing a Report Definition

1. Log in to your Supervisor node.
2. Go to CMDB > CMDB Reports.
3. Select the folder where you want to import the report definition, or create a new one.
4. Click Import.
5. Copy your report definition into the text field, and then click Import.

Exporting a Report Definition

1. Log in to your Supervisor node.
2. Go to CMDB > CMDB Reports.
3. Select the report you want to export, and then click Export.
4. Click Copy to Clipboard.
5. Paste the report definition into a text editor, modify it, and then follow the instructions for importing it back into your virtual appliance.

XML Schema for Report Definitions

 

Importing a CMDB Report Definition

1. Go to Report listing page and select the CMDB Report folder where the report is to be imported.
2. Click Import and see the report showing up in the correct folder.

Exporting a CMDB Report Definition

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Creating and Modifying CMDB Reports

There are two ways you can create new CMDB reports: you can create a new report from scratch, or you can clone and modify an existing system or user-defined report.

Creating a New Report

1. Log in to your Supervisor node.
2. Go to CMDB > CMDB Reports.
3. Create a group to add the new report to if you are not adding it to an existing group.
4. Click New.
5. Enter a Name and Description for the report.
6. Select the Conditions for the report.

You can use parentheses to give higher precedence to evaluation conditions.

7. Select the Display Columns.

The Display Column attributes contain an implicit “group by” command. You can change the order of the columns with the Move Row:

Up and Down buttons.

8. Click Save.

Cloning and Modifying a Report

You can modify user-defined reports by selecting the report and clicking Edit. However, you cannot directly edit a system-defined report. Instead, you have to clone it, then save it as a new report and modify it.

1. Log in to your Supervisor node.
2. Go to CMDB > CMDB Reports.
3. Select the system-defined you want to modify, and then click Clone.
4. Enter a name for the new report, and then click Save.

The cloned report will be added to the folder of the original report.

5. Select the new report, and then click Edit.
6. Edit the report, and then click Save.

 

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Reporting on CMDB Objects

All of the information in the CMDB can be reported on. FortiSIEM includes a number of pre-defined reports that you can run and export to PDF, and you can also create your own reports.

CMDB Report Types

Running, Saving, and Exporting a CMDB Report

Creating and Modifying CMDB Reports

Importing and Exporting CMDB Report Definitions

CMDB Report Types

You can find all system-defined reports in CMDB > CMDB Reports. The reports are organized into folders as shown in this table. Click on a report to view Summary information about it, including the report conditions and the columns included in the report.

Report and Organization Associations for Multi-Tenant Deployments

If you have an FortiSIEM multi-tenant deployment, the Organization column in the CMDB report table will show whether the report is defined for a specific organization. If it is, then that report is available for both the organization and Super/Global users.

CMDB Report Folder	Object to Report On	Report Name
Overall	Device Approval Status	Approved Devices Not Approved Devices
	Users	Discovered Users Externally Authenticated FortiSIEM Users Locally Authenticated FortiSIEM Users Manually Defined Users
	Rules	Active Rules Rules with Exceptions
	Reports	Scheduled Reports
	Performance Monitors	Active Performance Monitors
	Task	All Existing Tasks
	Business Service	Business Service  Membership
Network	Inventory	Network Device Components with Serial Number Network Interface Report Router/Switch Inventory Router/Switch Image Distribution
	Ports	Network Open Ports
	Relationship	WLAN-AP Relationship
Server	Inventory	Server Inventory Server OS Distribution Server Hardware: Processor Server Hardware: Memory and Storage
	Ports	Server Open Ports
	Running Services	Windows Auto Running Services Windows Auto Stopped Services Windows Exchange Running Services Windows IIS Running Services Windows Manual Running Services Windows Manual Stopped Services Windows SNMP Running Services Windows VNC Running Services Windows WMI Running Services

 

	Installed Software / Patches	Windows Installed Software Windows Installed Patches Windows Installed Software Distribution
Virtualization	Relationship	VM-ESX Relationship

 

 

Running, Saving, and Exporting a CMDB Report

1. Log in to your Supervisor node.
2. Go to CMDB > CMDB Reports, and select the report you want to run.
3. Click Run.
4. If you have a multi-tenant deployment, you will be prompted to select the organizations for which you want to run the report.
5. Click Save if you want to save the report.

Reports are only saved for the duration of your login session, and you can view saved reports by clicking Report Results. Each saved report will be listed as a separate tab, and you can delete them by clicking the X that appears when you hover your mouse over the report name in the tab. You can save up to 5 reports per login session

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Watch Lists

A Watch List is a smart container of similar items such as host names, IP addresses, or user names, that are of significant interest to an administrator and need to be watched. Examples of watch lists that are already set up in FortiSIEM are

Frequent Account Lockouts – users who are frequently locked out

Host Scanners – IP addresses that scan other devices

Disk space issues – hosts with disks that are running out of capacity

Denied countries – countries with an excessive number of access denials at the firewall

Blacklisted WLAN endpoints – Endpoints that have been blacklisted by Wireless IPS systems

Typically items are added to a watch list dynamically when a rule is triggered, but you can also add items to a watch list manually. When you define a rule, you can also choose a watch list that will be populated with a specific incident attribute, as described in Adding a Watch List to a Rule, and you can use watch lists as conditions when creating reports, as described in Using Watch Lists as Conditions in Rules and Reports. Yo u can also define when an entry leaves a watch list. Typically this is time based. For example, if the rule does not trigger for that attribute for defined time-period, then the entry is removed from the watch list. Watch lists are also multi-tenant aware, with organization IDs tracked in relation to watch list items.

Creating a Watch List

System-Defined Watch Lists

Related Links

Using Watch Lists as Conditions in Rules and Reports

Adding a Watch List to a Rule

Overview of the CMDB User Interface

 

Creating a Watch List

1. Log in to your Supervisor node.
2. Go to CMDB > Watch Lists.
3. Click +.
4. Choose an Organization to associate with the watch list.
5. Enter a Group name and Description for the watch list.
6. Select an object Type for the incident attribute that will be saved to the watch list.
7. Select Case Sensitive if the object type is String and you want to use case sensitivity to compare strings.
8. For Values Expire in, set the time period in which items will expire from the watch if there is no activity for that time.
9. Click OK.

You can now add your new watch list to a rule, so that when the rule is triggered, items will be added to the watch list. You can also use your watch list as a condition in historical search. See Adding a Watch List to a Rule and Using Watch Lists as Conditions in Rules and Reports for more information.

Related Links

Adding a Watch List to a Rule

Using Watch Lists as Conditions in Rules and Reports

 

System-Defined Watch Lists

FortiSIEM includes several pre-defined watch lists that are populated by system-defined rules.

Watch list	Description	Attribute Type	Triggering Rules
Accounts Locked	Domain accounts that are locked out frequently	User (STRING)	Account Locked: Domain

 

 

Application Issues

Applications exhibiting issues

Host Name (STRING)

IIS Virtual Memory Critical SQL Server Low Buffer Cache Hit Ratio SQL Server Low Log Cache Hit Ratio SQL Server Excessive Deadlock SQL Server Excessive Page Read/Write SQL Server Low Free Pages In Buffer Pool SQL Server Excessive Blocking Database Server Disk Latency Critical SQL Server Excessive Full Scan SQL Server scheduled job failed High Oracle Table Scan Usage High Oracle Non-System Table Space Usage Oracle database not backed up for 1 day Exchange Server SMTP Queue High Exchange Server Mailbox Queue High Exchange Server RPC Request High Exchange Server RPC Latency High Oracle DB Low Buffer Cache Hit Ratio Oracle DB Low Library Cache Hit Ratio Oracle DB Low Row Cache Hit Ratio Oracle DB Low Memory Sorts Ratio Oracle DB Alert Log Error Excessively Slow Oracle DB Query Excessively Slow SQL Server DB Query Excessively Slow MySQL DB Query

 

Availability Issues	Servers, networks or storage devices or Applications that are exhibiting availability issues	Host Name (STRING)	Network Device Degraded – Lossy Ping Response Network Device Down – No Ping Response Server Degraded – Lossy Ping Response Server Down – No Ping Response Server Network Interface Staying Down Network Device Interface Flapping Server Network Interface Flapping Important Process Staying Down Important Process Down Auto Service Stopped Critical network Interface Staying Down EC2 Instance Down Storage Port Down Oracle Database Instance Down Oracle Listener Port Down MySQL Database Instance Down SQL Server Instance Down Service Staying Down – Slow Response To STM Service Down – No Response to STM Service Staying Down – No Response to STM
DNS Violators	Sources that send excessive DNS traffic or send traffic to unauthorized DNS gateways	Source IP	Excessive End User DNS Queries to Unauthorized DNS servers Excessive End User DNS Queries Excessive Denied End User DNS Queries Excessive Malware Domain Name Queries Excessive uncommon DNS Queries Excessive Repeated DNS Queries To The Same Domain

 

Denied Countries	Countries that are seeing a high volume of denials on the firewall	Destination Country (STRING)	Excessive Denied Connections From An External Country
Denied Ports	Ports that are seeing a high volume of denies on the firewall	Destination Port (INT)	Excessive Denied Connection To A Port
Environmental Issues	Environmental Devices that are exhibiting issues	Host name (String)	UPS Battery Metrics Critical UPS Battery Status Critical HVAC Temp High HVAC Temp Low HVAC Humidity High HVAC Humidity Low FPC Voltage THD High FPC Voltage THD Low FPC Current THD High FPC ground current high NetBoz Module Door Open NetBotz Camera Motion Detected Warning APC Trap Critical APC Trap
Hardware Issues	Servers, networks or storage devices that are exhibiting hardware issues	Host Name (String)	Network Device Hardware Warning Network Device Hardware Critical Server Hardware Warning Server Hardware Critical Storage Hardware Warning Storage Hardware Critical Warning NetApp Trap Critical Network Trap
Host Scanners	Hosts that scan other hosts	Source IP	Heavy Half-open TCP Host Scan Heavy Half-open TCP Host Scan On Fixed Port Heavy TCP Host Scan Heavy TCP Host Scan On Fixed Port Heavy UDP Host Scan Heavy UDP Host Scan On Fixed Port Heavy ICMP Ping Sweep Multiple IPS Scans From The Same Src

 

Mail Violators	End nodes that send too much mail or send mail to unauthorized gateways		Excessive End User Mail to Unauthorized Gateways Excessive End User Mail
Malware Found	Hosts where malware found by Host IPS /AV based systems and the malware is not remediated	Host Name (String)	Virus found but not remediated Malware found but not remediated Phishing attack found but not remediated Rootkit found Adware process found
Malware Likely	Hosts that are likely to have malware – detected by network devices and the determination is not as certain as host based detection	Source IP or Destination IP	Excessive Denied Connections From Same Src Suspicious BotNet Like End host DNS Behavior Permitted Blacklisted Source Denied Blacklisted Source Permitted Blacklisted Destination Denied Blacklisted Destination Spam/malicious Mail Attachment found but not remediated Spyware found but not remediated DNS Traffic to Malware Domains Traffic to Emerging Threat Shadow server list Traffic to Emerging Threat RBN list Traffic to Emerging Threat Spamhaus list Traffic to Emerging Threat Dshield list Traffic to Zeus Blocked IP list Permitted traffic from Emerging Threat Shadow server list Permitted traffic from Emerging Threat RBN list Permitted traffic from Emerging Threat Spamhaus list Permitted traffic from Emerging Threat Dshield list Permitted traffic from Zeus Blocked IP list

 

 

Port Scanners	Hosts that scan ports on a machine	Source IP	Heavy Half-open TCP Port Scan: Single Destination Heavy Half-open TCP Port Scan: Multiple Destinations Heavy TCP Port Scan: Single Destination Heavy TCP Port Scan: Multiple Destinations Heavy UDP Port Scan: Single Destination Heavy UDP Port Scan: Multiple Destinations
Policy Violators	End nodes exhibiting behavior that is not acceptable in typical Corporate networks	Source IP	P2P Traffic detected IRC Traffic detected P2P Traffic consuming high network bandwidth Tunneled Traffic detected Inappropriate website access Inappropriate website access – multiple categories Inappropriate website access – high volume Inbound clear text password usage Outbound clear text password usage Remote desktop from Internet VNC From Internet Long lasting VPN session High throughput VPN session Outbound Traffic to Public DNS Servers
Resource Issues	Servers, networks or storage devices that are exhibiting resource issues: CPU, memory, disk space, disk I/O, network I/O, virtualization resources – either at the system level or application level	Host Name (STRING)	High Process CPU: Server High Process CPU: Network High Process Memory: Server High Process Memory: Network Server CPU Warning Server CPU Critical Network CPU Warning Network CPU Critical Server Memory Warning Server Memory Critical

Network Memory Warning

Network Memory Critical

Server Swap Memory Critical

Server Disk space Warning

Server Disk space Critical

Server Disk Latency Warning

Server Disk Latency Critical

Server Intf Util Warning

Server Intf Util Critical

Network Intf Util Warning

Network Intf Util Critical

Network IPS Intf Util Warning

Network IPS Intf Util Critical Network Intf Error Warning

Network Intf Error Critical Server Intf Error Warning

Server Intf Error Critical

Virtual Machine CPU Warning

Virtual Machine CPU Critical

Virtual Machine Memory

Swapping Warning

Virtual Machine Memory

Swapping Critical

ESX CPU Warning

ESX CPU Critical

ESX Memory Warning

ESX Memory Critical

ESX Disk I/O Warning

ESX Disk I/O Critical

ESX Network I/O Warning

ESX Network I/O Critical Storage CPU Warning

Storage CPU Critical

NFS Disk space Warning

NFS Disk space Critical

NetApp NFS Read/Write

Latency Warning

NetApp NFS Read/Write Latency Critical

NetApp CIFS Read/Write

Latency Warning

			NetApp CIFS Read/Write Latency Critical NetApp ISCSI Read/Write Latency Warning NetApp ISCSI Read/Write Latency Critical NetApp FCP Read/Write Latency Warning NetApp FCP Read/Write Latency Critical NetApp Volume Read/Write Latency Warning NetApp Volume Read/Write Latency Critical EqualLogic Connection Read/Write Latency Warning EqualLogic Connection Read/Write Latency Critical Isilon Protocol Latency Warning
Routing Issues	Network devices exhibiting routing related issues	Host Name (STRING)	OSPF Neighbor Down EIGRP Neighbor down OSPF Neighbor Down
Scanned Hosts	Hosts that are scanned	Destination IP	Half-open TCP DDOS Attack TCP DDOS Attack Excessive Denied Connections to Same Destination
Vulnerable Systems	Systems that have high severity vulnerabilities from scanners	Host Name (STRING)	Scanner found severe vulnerability
Wireless LAN Issues	Wireless nodes triggering violations	MAC Address (String)	Rogue or Unsecure AP detected Wireless Host Blacklisted Excessive WLAN Exploits Excessive WLAN Exploits: Same Source

 

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!