Showing posts with label FortiAnalyzer. Show all posts
Showing posts with label FortiAnalyzer. Show all posts

FortiAnalyzer reports - how to group subdomains to only show the root domain

Most Fortinet FortiAnalyzer reports use the full domain including subdomains, e.g. www.google.com or maps.google.com. If you want to group subdomains into the root-domain (e.g. google.com), then you might clone the existing reports & dataset and adjust the new dataset from:

Original Dataset:

select domain, string_agg(distinct catdesc, ', ') as agg_catdesc, sum(requests) as requests from ###(select hostname as domain, catdesc, count(*) as requests from $log where $filter and (eventtype is null or logver>=52) and hostname is not null and catdesc is not null and action!='blocked' group by domain, catdesc /*SkipSTART*/order by requests desc/*SkipEND*/)### t group by domain order by requests desc

Changed Dataset:

select domain, string_agg(distinct catdesc, ', ') as agg_catdesc, sum(requests) as requests from ###( select coalesce (nullifna (root_domain (hostname)), ipstr(dstip)) as domain, catdesc, count(*) as requests from $log where $filter and (eventtype is null or logver>=52) and hostname is not null and catdesc is not null and action!='blocked' group by domain, catdesc /*SkipSTART*/order by requests desc/*SkipEND*/)### t group by domain order by requests desc

Dataset change:

select hostname as domain
->
select coalesce (nullifna (root_domain(hostname)), ipstr(dstip)) as domain

Result screenshots:


Before adjusting the dataset:



After adjusting the dataset:


Source:


https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=fortianalyzer-v560-dataset-referencepdf&sliceId=&docTypeID=DT_PRODUCTDOCUMENTATION_1_1&dialogID=130376293&stateId=1%200%20130378047%27)

at No comments:
Labels: ,

Hardening FortiGate connection to FortiAnalyzer

The FortiGate uses OFTP (Fortinets proprietary Optimized Fabric Transfer Protocol, not Odette File Transfer Protocol) to transfer data between FortiGates and FortiAnalyzer. For encryption SSLv3 or TLS is used. In order to harden the connection, use the following commands:

Cfg for FortiAnalyzer 

 1. Set TLS to minimum version 1.2:


 2. Change FAZ certificate to one using the correct FQDN from your/a public CA:



 Debugging can be done using the fowlloing commands:


Oftpd daemon test usage:   diagnose test application oftpd <integer>
  • 1: show PID
  • 2: show statistics and state
  • 3: show connected device name and IP
  • 4: show detailed session state
  • 5: show oftp request statistics
  • 6: show cmdb device cache
  • 7: show logfwd thread stats
  • 8: show tasklist statistics
  • 9: show unreg dev cache
  • 10: log cluster bridge stats
  • 20: show forticlent end-user stats
  • 21: rebuild forticlient end-user avatar table
  • 90: reload un-reg device tree
  • 99: restart daemon

FAZ looks like this:
(global)# get
dh-params           : 8192
enc-algorithm       : high
fgfm-ssl-protocol   : tlsv1.2
oftp-ssl-protocol   : tlsv1.2
ssl-low-encryption  : disable
ssl-protocol        : tlsv1.2
ssl-static-key-ciphers: disable
webservice-proto    : tlsv1.2


Cfg for FortiGate


1. Change TLS ciphers to high:

config log fortianalyzer setting
    set enc-algorithm high
end

2. Change Global TLS-Settings

config system global
    set ssl-static-key-ciphers disable
    set dh-params 8192
    set strong-crypto enable
end


at No comments:
Labels: , , ,

FortiGate vs FortiAnalyzer User Anonymize

The Fortinets products "FortiGate" (firewall) and the "FortiAnalyzer" (log-management-system) both have an option to anonymize user names in their logs. However they are not the same thing.

FortiGate

config log setting 
  set user-anonymize enable
end

Will result in changing all usernames to "anonymous":


FortiAnalyzer

Using „Privacy masking“ in the FortiAnalyzer will change the username as follows:

Using "Obfuscate User" in Advanced Settings of a Report will hide user information the report.

Syslog

When enabling "user-anonymize" the FortiGate will also send to all syslog destinations and FortiAnalyzers the username as "anonymous". Therefore also using "Privacy masking" from FortiAnalyzer might not be necessary anymore when "user-anonymize" is already enabled on the FGT.

More information can be found here: https://kb.fortinet.com/kb/documentLink.do?externalID=FD36317 and https://docs.fortinet.com/document/fortianalyzer/6.2.5/administration-guide/227385/reports-settings-tab and https://docs.fortinet.com
at No comments:
Labels: ,
Subscribe to: Posts (Atom)

Monitor UniFi WLAN Access Point with PRTG with SNMPv3 Auth+Encrypted

This is a tiny guide howto monitor your UniFi wireless accesspoint, in this case a Unifi U7 pro with SNMPv3 with AES-Encryption and SHA-Auth...