TEAM: Huntress SIEM
PRODUCT: Huntress Managed SIEM
ENVIRONMENT: Syslog
SUMMARY: Starter Queries for FortiGate Firewall
Query List
SSL VPN Authentication Failures
Admin Authentications
Description
This search will return authentication attempts made against any admin interface. Data points of interest are authentications made from outside the internal network. These indicate a risky configuration which opens the device to potential attacks.
Search Query
from logs
| where event.provider=="Syslog-Fortigate"
| where event.code==32001 OR event.code==32002
| keep fortigate.duser, fortigate.FTNTFGTprofile, fortigate.src, fortigate.dst, fortigate.FTNTFGTmethod, fortigate.outcome, fortigate.reason
Additional Filter Options
from logs
| where event.provider=="Syslog-Fortigate"
| where event.code==32001 OR event.code==32002
| where fortigate.outcome==”failed”
| keep fortigate.duser, fortigate.FTNTFGTprofile, fortigate.src, fortigate.dst, fortigate.FTNTFGTmethod, fortigate.outcome, fortigate.reason
Event Code Breakdown
Event Code |
Description |
---|---|
32001 |
Admin Logon Success |
32002 |
Admin Logon Failed |
Kept Field Breakdown
Field |
Description |
---|---|
fortigate.duser |
The account attempting authentication. |
fortigate.FTNTFGTprofile |
The profile assigned to the account that successfully authenticated. |
fortigate.src |
The source IP address associated with the authentication attempt. |
fortigate.dst |
The destination IP address (firewall IP) associated with the authentication attempt. |
fortigate.FTNTFGTmethod |
The interface type (https, ssh, etc.) being used for the authentication attempt. |
fortigate.outcome |
The result of the authentication attempt. |
fortigate.reason |
The reason the authentication attempt failed. |
Local Firewall Authentication
Description
This query returns local authentication attempts against the firewall itself.
Search Query
from logs
| where event.provider=="Syslog-Fortigate"
| where event.code==43008 OR event.code==43009 OR event.code==43010
| keep fortigate.outcome, fortigate.duser, fortigate.src, fortigate.dst, fortigate.FTNTFGTauthproto
Event Code Breakdown
Event Code |
Description |
---|---|
43008 |
Authentication Success |
43009 |
Authentication Failure |
43010 |
Authentication Lockout |
Kept Field Breakdown
Field |
Description |
---|---|
fortigate.outcome |
The result of the authentication attempt. |
fortigate.duser |
The account that attempted authentication. |
fortigate.src |
The IP address the authentication attempt originated from. |
fortigate.dst |
The IP address of the firewall the authentication attempt was made against. |
fortigate.FTNTFGTauthproto |
The protocol/interface used in the authentication attempt. |
Admin Login Disabled
Description
This search will return instances of an IP being blocked for admin login due to repeated failed attempts. The results can show if the firewall is allowing authentications from the public internet, which is an inherently risky configuration. Repeatedly seeing internal IPs in the results indicate potentially malicious behavior on the internal network.
Search Query
from logs
| where event.provider=="Syslog-Fortigate"
| where event.code==32021
| keep fortigate.sproc
Event Code Breakdown
Event Code |
Description |
---|---|
32021 |
IP blocked for admin logon |
Kept Field Breakdown
Field |
Description |
---|---|
fortigate.sproc |
The IP address originating the authentication request. |
Account Management
Description
This search returns events around the creation and modification of accounts local to the FortiGate firewall.
Search Query
from logs
| where event.provider=="Syslog-Fortigate"
| where event.code==32130 OR event.code==32132
| keep fortigate.deviceExternalId, event.code, fortigate.duser, fortigate.FTNTFGTname, fortigate.msg
Event Code Breakdown
Event Code |
Description |
---|---|
32130 |
Local user account modified. |
32132 |
Local user account created. |
Kept Field Breakdown
Field |
Description |
---|---|
fortigate.deviceExternalId |
The Serial Number of the FortiGate producing the log. |
fortigate.duser |
The account performing the account management change. |
fortigate.FTNTFGTname |
The account affected by the account management change. |
fortigate.msg |
A human-readable description of the change. |
SSL VPN Information
Description
This search returns successful authentications and tunnel stats for SSL VPN connections. Tunnel statistics such as duration and sent/received bytes are recorded at session termination.
Search Query
from logs
| where event.provider=="Syslog-Fortigate"
| where event.code==39424 OR event.code==39947 OR event.code==39948
| keep event.code, fortigate.FTNTFGTtunnelid, fortigate.duser, fortigate.dst, fortigate.FTNTFGTtunnelip, fortigate.FTNTFGTduration, fortigate.out, fortigate.in
Event Code Breakdown
Event Code |
Description |
---|---|
39424 |
Authentication successful to SSL VPN |
39947 |
SSL VPN session established |
39948 |
SSL VPN session terminated |
Kept Field Breakdown
Field |
Description |
---|---|
fortigate.FTNTFGTtunnelid |
The session ID assigned to the SSL VPN session. |
fortigate.duser |
The account name authenticating in the SSL VPN session. |
fortigate.dst |
The IP of the client initiating the session. |
fortigate.FTNTFGTtunnelip |
The NAT IP assigned to the SSL VPN client. |
fortigate.FTNTFGTduration |
The duration of the SSL VPN session measured in seconds. |
fortigate.out |
The bytes sent from the firewall to the client during the session. |
fortigate.in |
The bytes sent from the client to the firewall during the session. |
SSL VPN Authentication Failures
Description
This search returns failed SSL VPN authentication attempts.
Search Query
from logs
| where event.provider=="Syslog-Fortigate"
| where event.code==39426
| keep event.code, fortigate.duser, fortigate.dst, fortigate.reason
Event Code Breakdown
Event Code |
Description |
---|---|
39426 |
Authentication failed to SSL VPN |
Kept Field Breakdown
Field |
Description |
---|---|
fortigate.duser |
The account name authenticating in the SSL VPN session. |
fortigate.dst |
The IP of the client initiating the session. |
fortigate.reason |
The reason the authentication attempt failed. |
Firewall Rule Management
Description
This search will return changes made to firewall policy. This includes creation, modification, and deletion of policy rules. The results can be used to validate approved changes and detect unauthorized changes.
Search Query
from logs
| where event.provider=="Syslog-Fortigate"
| where event.code==44545 OR event.code==44547
| where fortigate.FTNTFGTcfgpath=="firewall.policy"
| keep fortigate.act, fortigate.duser, fortigate.msg, fortigate.FTNTFGTcfgobj, fortigate.FTNTFGTcfgattr
Event Code Breakdown
Event Code |
Description |
---|---|
44545 |
Configuration object modified |
44547 |
Configuration object attribute modified |
Kept Field Breakdown
Field |
Description |
---|---|
fortigate.act |
The action being performed. |
fotigate.duser |
The account performing the action. |
fortigate.msg |
A short description of the action performed. |
fortigate.FTNTFGTcfgobj |
The ID of the firewall rule. |
foritgate.FTNTFGTcfgattr |
Contains the details of the policy rule created or modified. |