cancel
Showing results for 
Search instead for 
Did you mean: 

ESM 9.5 and Fortigate data source problem

Hi Guys,

i have problem with my Fortigate data source. When i add my fortigate data source... i get only one rule TRAFFIC Traffic local message, but this isnt good.

Can you help my?

many thanks

Jiri

4 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: ESM 9.5 and Fortigate data source problem

Can you verify that there are logs being sent from the Fortigate that are not being parsed? I recommend turning on "Log "Unknown Syslog" Event under the data source to see if there are additional logs that are being provided that are not being parsed. If so, parsing rules can be created.

Re: ESM 9.5 and Fortigate data source problem

Hi,

Yes that's the event summary name under fortigate, you need to go into details of the each events by clicking on event drill down --> events.

Hope this helps!

Regards,

Vinaya.

Re: ESM 9.5 and Fortigate data source problem

McAfee ESM (any version) not parsing the fortigate ver 5.x events. It will parse only fortigate version 4.x. We created the ticket to support and find the below answer for the same.

More than 1 year mcafee not provide any solution for fortigate Ver 5.    

===========================================================

Fortinet have introduced event ID 13 (description: Traffic Forward). "Forward" is described by Fortinet as traffic that passes through the FortiGate unit.  Many events are now categorized as the "Traffic Forward" event that were previously categorized as more granular events.

So our parsing hasn't changed, but the way Fortinet is categorizing the events has and this is why you are seeing differences.

Note :  But the product supported list they mentioned the forigate ver.5. They should remove the ver 5 from the list.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: ESM 9.5 and Fortigate data source problem

There were some Fortinet rule updates on 7/21/15 and 8/3/15. It's worth taking another look after a rule update.