FortiGate and AlienVault Unified Security Management (USM)
In this video, Garrett Gross takes you step-by-step through configuring your FortiGate next generation firewall to send logs to AlienVault USM as well as how to enable plugins on the USM side to normalize the data. In no time, you will have normalized events coming into USM, maximizing visibility into your network’s security status and prioritizing security events that require attention.
Hey Aliens, Garrett here. I wanted to create a quick video to show you how easy it is to monitor your FortiGate security appliances within Alien Vault USM.
First, we’ll configure our FortiGate to export SIS log to a remote SIS log server, in this case our USM inbox. If you’re using an older version of 40 OS, you can configure that here in the web UI under log settings. However, if you’re using 40 OS 5 or newer, you’ll have to configure this in the command line.
Ok. So, what I’ve done is I’ve set up a, uh, secure shell to the FortiGate appliance itself and I’m just gonna enter in the following commands. So, I have Config log, SIS log D setting puts me into a edit mode for SIS long. Then, do your set status enable and then I’m going to set the, the, uh, SIS log server for the server that I’m going to send my SIS log to. In this case, this would be your Alien Vault USM inbox. Now you can set the port, or set the facility here, but by default, the port is set to 514 and the facility is set to Local 7. The one thing to remember though is that nothing is going to be saved until you hit ‘End’.
Ok, now that we’ve configured the FortiGate security appliance to send SIS log messages to Alien Vault USM, let’s configure the SIS log server on the USM inbox to receive the SIS log messages and process the incoming logs to a unique file destination. On the USM inbox, we need to go to jailbreak system, which will take us out of the prompt. And what I’m going to do is I’m going to create a configuration file in Etsy R SIS log.D that is going to tell the SIS log server what to do with these incoming messages. Now, I’ve named mine FortiGate.com, but if you’re using a different plugin, uh, it’s named differently or more importantly is referencing a different configuration file in the plugin itself, make sure to reflect that here in the title.
So, let’s take a look at the configuration file. Let’s choose a suitable command. “If the IP address that the message is coming from matches this, then put it in VAR log FortiGate.log.” Let’s exit out of VI, we’ll restart the SIS log service, and then let’s head to a USM to enable the plug in that we’ve just configured. Log in to Alien Vault USM. Once in, we’re gonna go to ‘Environment’ and then ‘Assets’. We’re gonna locate our FortiGate security appliance from the list and then click the icon under details. Under ‘General’, we’re gonna go to ‘Plugins’. We’re gonna click ‘Edit Plugins’ and we’re gonna locate the plugin that we configured from the list. It this case, it’s the FortiNet FortiGate and then click ‘Apply’.
The plugin is now enabled for use within USM and will begin to normalize the incoming events. Now, we have the events generated by the FortiGate being sent to USM detailing the activity on the device. Now, what I’ve done is run some attack simulations against the FortiGate to show you how USM alerts you to potentially malicious activity. You can see here a couple of alarms related to suspicious behavior. Uh, this first one looks like a Trojan connecting to a low reputation C-C server.
Now, what’s cool about this is not only are you getting a really detailed alarm, but if the IP address associated with alarm has an entry in our open thread exchange, you’ll see this little Bull’s eye icon next to it. Clicking on the Bull’s eye takes you to our threat details page, which gives you more information about the threat, what type of threat it is, when the threat occurred and then additional detail about when this particular one which happens to be a Command and Control server.
Now this is all in an effort to arm you with the best tools available, the more intelligence the better, uh, to allow you to quickly and efficiently mitigate the threats in your environment. Keep in mind the USM also comes with a robust recording engine, allowing you to report on threat activity, uh, allow you to demonstrate compliance, report on availability, etc.
Hopefully this video demonstrates how easy it is to monitor these devices allowing the flexibility to not only monitor multiple FortiGates, but also other devices within your network.
Uh, if you have any questions, don’t hesitate to reach out: email@example.com.
Once again, my name is Garrett Gross. Thanks for watching.