Splunk UseCase for attacks against FortiGate Firewall management interfaces

If you are using Splunk as your SIEM you can try to detect attacks against your FortiGate firewalls by using the following SPL query:


index=firewall type=event subtype=system msg IN ("Failed to match community*", "Message authentication or checking failed*", "Negotiation failed: no matching*", "Negotiation failed: Broken pipe*")
| stats earliest(_time) as FirstEvent count by devname,msg,result,logdesc
| eval FirstEvent=strftime(FirstEvent,"%Y-%m-%d %H:%M:%S")
Splunk UseCase FortiGate Firewall Management Interface Attacks


Additionally: It is imperative that you protect your FortiGate interfaces with TrustedHosts AND Local-In-Policies. Only using TrustHosts protects HTTPS, SSH, etc but not other protocols like SIP, IPsec, CAPWAP, BGP, OSPF, SSLVPN etc which are also local services running on the FortiGate, which need to be protected, too.
See https://how2itsec.blogspot.com/2022/10/fortigate-admin-interface.html

at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Surface 2 Pro Install Linux Ubuntu 24.04 LTS

Windows 10 support ended. Microsoft Surface 2 Pro devices can't officially be updated to Windows 11. This guide shows how to switch to L...