I have two questions concerning the data sources (McAfee ESM v9.2.1).
1) Did you have any issues to implementing a data source "Fortigate Firewall"? The Receiver doesn't parse all the messages and I can't create a custom rule because the type is not ASP.
2) How do I configure the "Radware DefensePro" in order to collecting events and sending them to the "McAfee Receiver"? By APsolute Vision or for each devices
1. Switch to a ASP version. With ASP we tend to write rules to cover all the versions and if we don't have the rules to cover a PER can be logged to get additional parsing. I realize the model names may no line up but it would be worth taking a sample of one of the logs that aren't parsed and save that to that to a text file and then do the following:
a. create a fake data source with one of the other models selected. Make sure you say "Support Generic Syslog"
b. write out the data source settings and push out policy
c. edit the newly created data source and execute the "Upload" button
d. browse to your text file with the log sample
e. Verify if the log was parsed out correctly.
f. repeat steps until you have found the correct model
2. I'm not sure I understand what you are asking with this question. Are you looking for specific instructions for configuring Radware to syslog data to the McAfee Receiver?
1) There is not way to select a model Fortinet Firewall of type ASP; by the way I've just discovered that the Fortigate sends messages there are not documented on official log's guide (Foritage Log Message Referenge Guide v2.8);
2) I need to known the setup on device side;
We had the same issue, Then we tried with Fortigate UTM Space Delimited and it worked and it parsed all the events. So give it a shot by selecting Vendor as Fortigate and products as Fortigate UTM- space delimited. You can try Comma delimited if the above is not working.
thank you for your reply.
Actually, I found the official documentation of Fortinet (Log Message Reference Guide) and inside it there is not evidence concerning some logs that the appliance sends, eg: 00380000007.
So we opened a Ticket to Fortinet in order to knowing something more.