FortiSIEM Network Topology View of Devices

Network Topology View of Devices

FortiSIEM provides two ways to view the topology of your IT infrastructure, one at the CMDB level that shows all devices, and another at the level of device groups and individual devices.

How is Network Topology Discovered and Visualized?

CMDB All Devices View

CMDB All Devices User Interface Controls

Device Group and Device View

Device Group and Device View User Interface Controls Viewing Device Information in the Topological Map

How is Network Topology Discovered and Visualized?

FortiSIEM discovers network topology at two levels,  layer 3 and layer 2. Layer 3 connectivity involves IP addresses, while Layer 2 connectivity

The layer 3 topology is discovered by obtaining network interface IP address and masks for all devices via SNMP (RFC 1213). The local networks e.g. loopback (127.0.0.0/8), link local addresses (169.254.0.0/16) are filtered out and the distinct networks segments are identified.

A layer 3 topology is visualized on the FortiSIEM Topology map by drawing:

Network segment and devices as node and

Srawing line segments from the network segment nodes to every device node that have an interface with IP address in that network segment.

The devices are represented by vendor specific icons and the network nodes are represented by a line and labeled as “Net-<net>/<maskbits>”. For visual clarity:

Only the network devices are drawn by default. A network device is one that belongs to row Network Device tab in the CMDB. Only those networks are drawn that have devices discovered by FortiSIEM (and are in CMDB). There is a “” button next to those networks. Clicking on the “” button displays those hosts in the topology graph. Clicking on the “-“ button hides those hosts.

When an enterprise network has Layer 2 switches and hubs, a layer 3 topology misses the connectivity between servers to layer 2 switches and the trunk port connectivity between layer 2/3 switches. Layer 2 discovery is difficult and, more importantly, vendor dependent as vendors have different implementations of the Spanning Tree Protocol (STP).

For Cisco switches, the layer 2 topology is obtained via SNMP (IEEE spanning tree MIB as found in RFC1493 and CISCO-VTP-MIB) as follows:

For every switch,

  1. Identify all active VLANs on that switch 2. For every active VLAN:
  2. Get MAC forwarding table
  3. Get STP table to identify trunk ports and directly connected trunk port on adjacent switches

The MAC forwarding table obtained in Step 2a provides the server to switch port connectivity (after eliminating the trunk port entries obtained in step 2b). The trunk port connectivity between switch ports is directly obtained from Step 2b.

The Layer 2 topology is visualized on the FortiSIEM topology diagram by choosing the layer 2 mode. Then by clicking the “+” next to a device, the VLANs on that switch are displayed. Also, the trunk port connectivity is shown in an orange color and a tool tip provides the VLANs over this trunk link.

Then by clicking on the “+” of a VLAN, the hosts belonging to that VLAN and also the switch ports they connect to are displayed.

The host to switch port connectivity can also be seen in a tabular form by first clicking the switch and then clicking the “Port Mapping Table”.

CMDB All Devices View

This screenshot shows the CMDB tab selected, and in the Device View, Topology is selected. This topology map shows all the devices for the selected organization, and provides controls for editing the topology views that will be available to users from that organization.

CMDB All Devices User Interface Controls

UI Control Description
Zoom Use the slider to increase or decrease the zoom level of the map
Organizations

Filter

For multi-tenant deployments, filter devices based on the organization they belong to
View Select the layers, connection types, and number of hops from the host to display in the map
Search Search for specific devices based on name, IP, or Business Service
View Options Set the display options, including severity levels, for the map
Layout Options Set the type of topological map to display, as well as the length of links between devices
Save and Update Refresh

When you make a change to the map settings, click Refresh to see them reflected in the map Save

Save your Layout and View Options to use them in other topographical maps associated with this organization Sync

If you make changes to your infrastructure or add devices to the CMDB, click Sync to see them reflected in the map

Device Group and Device View

You can access the device group view of the topological map by selecting a group of devices in the Device View, and then clicking the Topo butto n in the Summary pane. Select an individual device, and then click the Topo button in the Details pane to view that device within the topological map.

Device Group and Device View User Interface Controls

UI

Control

Description
Zoom Use the slider to increase or decrease the zoom level of the map
View

Controls

Click on the arrow icon in the upper-right corner of the map to open these controls. Options to enable/disable node dragging, incident display, connection layer display, and the number of hops from the host to display.
Map

Explorer

Click o the arrow icon in the lower-right corner of the map to open the Map Explorer. As you zoom into the map, the map explorer will show you the area that you are currently viewing. You can move to another area by clicking and dragging the highlighted section of the map explorer to that area.

Viewing Device Information in the Topological Map

Devices within the topological map have additional icons to represent information about the device.

Icon Name Description
Show

Connected

Hosts

If a device has a green + icon in the topographic map, you can click on that icon to see hosts that are connected to that device
Show

Incident

Details

Incidents for a device are displayed as a number in a circle to the right of the device icon, with the color of the circle (red, yellow, green) indicating the severity of the incidents. Click the number to view the Incident Summary for the device, and then click on individual incident to view the Incident Details in the List View of Incidents. In the Incident Summary you can also view and apply a subset of options from the Analysis Menu by having your mouse cursor over the Incident Source or Incident Target entries for the incident.

 

Show

Device

Details

Click on the name of the device to view details about it. The kind of information displayed will depend the type of device you select.

 

 

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.