4 Replies Latest reply on Aug 13, 2015 6:30 PM by andy777

    ESM 9.5 and Fortigate data source problem

    kecirij

      Hi Guys,

       

      i have problem with my Fortigate data source. When i add my fortigate data source... i get only one rule TRAFFIC Traffic local message, but this isnt good.

       

      Can you help my?

      many thanks

      Jiri

        • 1. Re: ESM 9.5 and Fortigate data source problem
          andy777

          Can you verify that there are logs being sent from the Fortigate that are not being parsed? I recommend turning on "Log "Unknown Syslog" Event under the data source to see if there are additional logs that are being provided that are not being parsed. If so, parsing rules can be created.

          • 2. Re: ESM 9.5 and Fortigate data source problem
            vinaya_k

            Hi,

             

            Yes that's the event summary name under fortigate, you need to go into details of the each events by clicking on event drill down --> events.

             

            Hope this helps!

             

            Regards,

             

            Vinaya.

            • 3. Re: ESM 9.5 and Fortigate data source problem
              mariajohn14

              McAfee ESM (any version) not parsing the fortigate ver 5.x events. It will parse only fortigate version 4.x. We created the ticket to support and find the below answer for the same.

              More than 1 year mcafee not provide any solution for fortigate Ver 5.    

               

              ===========================================================

              Fortinet have introduced event ID 13 (description: Traffic Forward). "Forward" is described by Fortinet as traffic that passes through the FortiGate unit.  Many events are now categorized as the "Traffic Forward" event that were previously categorized as more granular events.

              So our parsing hasn't changed, but the way Fortinet is categorizing the events has and this is why you are seeing differences.

               

              Note :  But the product supported list they mentioned the forigate ver.5. They should remove the ver 5 from the list.

               

              • 4. Re: ESM 9.5 and Fortigate data source problem
                andy777

                There were some Fortinet rule updates on 7/21/15 and 8/3/15. It's worth taking another look after a rule update.