fortigate vpn auth logs config changes #712

hardikhdholariya · 2025-02-06T17:45:27Z

No description provided.

VatsalJagani · 2025-02-06T17:57:47Z

cyences_app_for_splunk/default/props.conf

@@ -210,12 +210,12 @@ EXTRACT-src_ip_for_radius = \sfrom \'(?<src_ip>[^\']+)\',

 [fgt_event]
 # fgt_event for old Fortigate Add-on (1.6.2)
-EVAL-dest_category = if(subtype="vpn" AND vendor_action IN ("negotiate", "ssl-login-fail"), "vpn_auth", dest_category)
+EVAL-dest_category = if(subtype="vpn" AND vendor_action IN ("tunnel-up", "ssl-login-fail"), "vpn_auth", dest_category)


Just tunnel-up won't work, because tunnel-up also includes Network tunnels, which is not expected.
We need to use logdesc or other fields to limit the right VPN login data.

VatsalJagani · 2025-02-07T09:40:49Z

cyences_app_for_splunk/default/eventtypes.conf

@@ -31,7 +31,7 @@ search = sourcetype="pan:system" object="RSA_Radius" dest_category="radius_auth"
 ### Fortigate VPN ###
 #####################
 [cs_fortigate_vpn_auth]
-search = sourcetype IN ("fgt_event", "fortigate_event") subtype="vpn" vendor_action IN ("negotiate", "ssl-login-fail")
+search = sourcetype IN ("fgt_event", "fortigate_event") subtype="vpn" vendor_action IN ("tunnel-up", "ssl-login-fail")


Need the change here as well.

VatsalJagani · 2025-02-07T09:41:48Z

cyences_app_for_splunk/default/props.conf



 [fortigate_event]
 # fortigate_event for the new Fortigate Add-on (1.6.5)
-EVAL-dest_category = if(subtype="vpn" AND vendor_action IN ("negotiate", "ssl-login-fail"), "vpn_auth", dest_category)
+EVAL-dest_category = if(subtype="vpn" AND ((vendor_action="tunnel-up" reason="login successfully") OR vendor_action="ssl-login-fail"), "vpn_auth", dest_category)
 # Note - eval action is not working because Fortigate Add-on's lookup is overriding the action field, hence we need to make changes in the data-model definition
 # action field update in the Authentication data-model -> case(sourcetype="fgt_event" AND subtype="vpn" AND vendor_action IN ("tunnel-up", "phase2-up"), "success", sourcetype="fgt_event" AND subtype="vpn" AND vendor_action="ssl-login-fail", "failure", isnull(action) OR action="", "unknown", 1==1, action)


Do we need to change this as per new logic for action field - failure & success?

as per note, action field is overriding from fortigate addon. so I'm testing it and after will change.

Let's write a note here that fortigate Add-on is overriding the action field, hence we are not writing the props config here and instead writing it in the data-model & dashboard queries.

VatsalJagani · 2025-02-07T13:36:29Z

cyences_app_for_splunk/default/data/ui/views/cs_vpn_reports.xml

@@ -231,7 +232,7 @@
      <table>
        <title>Successful Session</title>
        <search>
-          <query>`cs_vpn_indexes` dest_category="vpn_auth" action="success" user IN $User$ dest=$tkn_dest$ src=$tkn_public_ip$ 
+          <query>`cs_vpn_indexes` dest_category="vpn_auth" action="added" user IN $User$ dest=$tkn_dest$ src=$tkn_public_ip$ 


We need to put only specific tunnel-down, just like tunnel-up

VatsalJagani · 2025-02-07T13:37:35Z

cyences_app_for_splunk/default/props.conf



 [fortigate_event]
 # fortigate_event for the new Fortigate Add-on (1.6.5)
-EVAL-dest_category = if(subtype="vpn" AND vendor_action IN ("negotiate", "ssl-login-fail"), "vpn_auth", dest_category)
+EVAL-dest_category = if(subtype="vpn" AND ((vendor_action="tunnel-up" reason="login successfully") OR vendor_action="ssl-login-fail"), "vpn_auth", dest_category)
 # Note - eval action is not working because Fortigate Add-on's lookup is overriding the action field, hence we need to make changes in the data-model definition
 # action field update in the Authentication data-model -> case(sourcetype="fgt_event" AND subtype="vpn" AND vendor_action IN ("tunnel-up", "phase2-up"), "success", sourcetype="fgt_event" AND subtype="vpn" AND vendor_action="ssl-login-fail", "failure", isnull(action) OR action="", "unknown", 1==1, action)


Let's write a note here that fortigate Add-on is overriding the action field, hence we are not writing the props config here and instead writing it in the data-model & dashboard queries.

fortigate vpn auth logs config changes

0ec5e5b

hardikhdholariya requested review from VatsalJagani and roaaattalla February 6, 2025 17:45

VatsalJagani requested changes Feb 6, 2025

View reviewed changes

review changes

e4271e7

VatsalJagani requested changes Feb 7, 2025

View reviewed changes

hardikhdholariya added 2 commits February 7, 2025 16:12

review changes

fbea90b

action field changes for the fortigate vpn logs

a6079d2

VatsalJagani requested changes Feb 7, 2025

View reviewed changes

hardikhdholariya added 2 commits February 7, 2025 19:39

review changes

e5726b3

review changes

d153502

VatsalJagani approved these changes Feb 7, 2025

View reviewed changes

hardikhdholariya merged commit be0f4d6 into master Feb 7, 2025
1 check passed

hardikhdholariya deleted the fortigate-vpn-log-mapping branch February 7, 2025 16:25

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fortigate vpn auth logs config changes #712

fortigate vpn auth logs config changes #712

hardikhdholariya commented Feb 6, 2025

VatsalJagani Feb 6, 2025 •

edited

Loading

VatsalJagani Feb 7, 2025

VatsalJagani Feb 7, 2025

hardikhdholariya Feb 7, 2025

VatsalJagani Feb 7, 2025

VatsalJagani Feb 7, 2025

VatsalJagani Feb 7, 2025

fortigate vpn auth logs config changes #712

fortigate vpn auth logs config changes #712

Conversation

hardikhdholariya commented Feb 6, 2025

VatsalJagani Feb 6, 2025 • edited Loading

Choose a reason for hiding this comment

VatsalJagani Feb 7, 2025

Choose a reason for hiding this comment

VatsalJagani Feb 7, 2025

Choose a reason for hiding this comment

hardikhdholariya Feb 7, 2025

Choose a reason for hiding this comment

VatsalJagani Feb 7, 2025

Choose a reason for hiding this comment

VatsalJagani Feb 7, 2025

Choose a reason for hiding this comment

VatsalJagani Feb 7, 2025

Choose a reason for hiding this comment

VatsalJagani Feb 6, 2025 •

edited

Loading