Configuring External Systems for Discovery, Monitoring and Log Collection

Ports Used by FortiSIEM for Discovery and Monitoring

These ports are used by FortiSIEM to discover devices, pull metrics and process event logs.

Ports	Services	Super	Worker	Collector
UDP/514	UDP syslog	x	x	x
TCP/1470	TCP syslog	x	x	x
UDP/6514	UDP syslog over TLS	x	x	x
TCP/6514	TCP syslog over TLS	x	x	x
UDP/2055	netflow	x	x	x
TCP/22	ssh	x	x	x
TCP/5480	HTTP Registration			x
ICMP		x	x	x
TCP/21	FTP (Receiving Bluecoat logs via ftp)	x	x	x
TCP/5432	postgresql	x
UDP/111, TCP/111	NFS portmapper	x	x
TCP/7900	phMonitor	x	x
TCP/7914	phParser	x	x
TCP/7916	phQueryWorker	x	x
TCP/7918	phQueryMaster	x	x
TCP/7920	phDataManager	x	x
TCP/7922	phRuleMaster	x	x
TCP/7924	phRuleWorker	x	x
TCP/7926	phAgentManager	x	x
TCP/7928	phDiscover	x	x
TCP/7930	phCheckpoint	x	x
TCP/7932	phReportWorker	x	x
TCP/7934	phReportMaster	x	x
TCP/7936	phEventPackager	x	x
TCP/7938	phIpIdentityMaster	x	x
TCP/7940	phIpIdentityWorker	x	x
TCP/110	POP3	x
TCP/135	WMI	x	x	x
TCP/143	IMAP	x
UDP/161	SNMP	x	x	x
UDP/162	SNMP TRAP	x	x	x
TCP/389	LDAP	x	x	x
TCP/443	HTTPS	x	x	x
TCP/993	IMAP/SSL	x
TCP/995	POP/SSL	x
TCP/1433	JDBC	x	x	x
UDP/8686	JMX	x	x	x
TCP/18184	Checkpoint LEA	x	x	x
TCP/18190	Checkpoint CPMI Port	x	x	x

 

Supported Devices and Applications by Vendor

Vendor	Model	Discovery Overview	Performance Monitoring Overview	Log Analysis Overview	Configuration Change monitoring	Details
AirTight Networks	SpectraGuard	Discovered via LOG only	Not natively supported – Custom monitoring needed	CEF format: Over 125 event types parsed covering various Wireless suspicious activities	Currently not natively supported	AirTight Networks SpectraGuard
Alcatel	TiMOS Routers and Switches	SNMP: OS, Hardware	SNMP: CPU, memory, interface utilization, hardware status	Not natively supported – Custom parsing needed	Currently not natively supported	Alcatel TiMOS and AOS Switch Configuration
Alcatel	AOS Routers and Switches	SNMP: OS, Hardware	SNMP: CPU, memory, interface utilization, hardware status	Not natively supported – Custom parsing needed	Currently not natively supported	Alcatel TiMOS and AOS Switch Configuration
Alertlogic	IPS	Discovered via LOG only	Currently not natively supported	AlertLogic API – Snort event types	Currently not natively supported
Amazon	AWS Servers	AWS API: Server Name, Access IP, Instance ID, Image Type, Availability Zone	CloudWatch API: System Metrics: CPU, Disk I/O, Network	CloudTrail API: Over 325 event types parsed covering various AWS activities	CloudTrail API: various administrative changes on AWS systems and users	AWS CloudWatch AWS CloudTrail
Amazon	AWS Elastic Block Storage (EBS)	CloudWatch API: Volume ID, Status, Attach Time	CloudWatch API: Read/Write Bytes, Ops, Disk Queue	Covered via CloudTrail API	Covered via CloudTrail API	AWS EBS and RDS
Amazon	AWS Relational Database Storage (RDS)		CloudWatch API: CPU, Connections, Memory, Swap, Read/Write Latency and Ops	Currently not natively supported	Covered via CloudTrail API	AWS EBS and RDS
Amazon	Elastic Load Balancer (ELB)		Currently not natively supported	HTTP(S) Access logs – Management logs – Covered via CloudTrail API	Covered via CloudTrail API
Apache	Tomcat Application Server	JMX:  Version	JMX: CPU, memory, servlet, session, database, threadpool, request processor metrics	Currently not natively supported – Custom parsing needed	Currently not natively supported	Apache Tomcat
Apache	Apache Web server	SNMP: Process name	SNMP: process level cpu, memory HTTPS via the mod-status module: Apache level metrics	Syslog: W3C formatted access logs – per HTTP(S) connection: Sent Bytes, Received Bytes, Connection Duration	Currently not natively supported	Apache Web Server
APC	NetBotz Environmental Monitor	SNMP: Host name, Hardware model, Network interfaces	SNMP: Temperature, Relative Humidity, Airflow, Dew point, Current, Door switch sensor etc.	SNMP Trap: Over 125 SNMP Trap event types parsed covering various environmental exception conditions	Currently not natively supported	APC Netbotz
APC	UPS	SNMP: Host name, Hardware model, Network interfaces	SNMP: UPS metrics	SNMP Trap: Over 49 SNMP Trap event types parsed covering various environmental exception conditions	Currently not natively supported	APC UPS
Arista Networks	Routers and Switches	SNMP: OS, Hardware SSH: configuration, running processes	SNMP: CPU, Memory, Interface utilization, Hardware Status	Syslog and NetFlow	SSH: Running config, Startup config	Arista Router and Switch
Aruba Networks	Aruba Wireless LAN	SNMP: Controller OS, hardware, Access Points	SNMP: Controller CPU, Memory, Interface utilization, Hardware Status SNMP: Access Point Wireless Channel utilization, noise metrics, user count	SNMP Trap: Over 165 event types covering Authentication, Association, Rogue detection, Wireless IPS events	Currently not natively supported	Aruba WLAN
Aruba Networks	ClearPass Policy Manager	Discovery via LOG	Currently not natively supported	Syslog: Successful and failed AAA authentication, warnings and errors	Currently not natively supported
Aruba Networks	Switches	SNMP: OS, Hardware	SNMP: Uptime, Interface utilization	Currently not natively supported – Custom parsing needed	Currently not natively supported
Avaya	Call Manager	SNMP: OS, Hardware	SNMP: CPU, Memory, Interface utilization, Hardware Status	CDR: Call Records	Currently not natively supported	Avaya Call Manager

 

Avaya	Session Manager	SNMP: OS, Hardware	SNMP: CPU, Memory, Interface utilization, Hardware Status	Currently not natively supported – Custom parsing needed	Currently not natively supported
Barracuda Networks	Spam Firewall	Discovery via LOG	Currently not natively supported	Syslog: Over 20 event types covering mail scanning and filtering activity	Currently not natively supported	Barracuda Spam
Bit9	Security platform	Discovery via LOG	Currently not natively supported	Syslog: Over 259 event types covering various file monitoring activities	Currently not natively supported	Bit9 Security Platform
Bit9	Carbon Black	Currently not natively supported	Currently not natively supported	Syslog: File monitoring watch list hit	Currently not natively supported
Blue Coat	Security Gateway Versions v4.x and later	SNMP: OS, Hardware	SNMP: CPU, Memory, Interface utilization, Proxy performance metrics	Syslog: Admin access to Security Gateway SFTP: Proxy traffic analysis	Currently not natively supported	Blue Coat Web Proxy
Box.com	Cloud Storage	Currently not natively supported	Currently not natively supported	Box.com API: File creation, deletion, modify, file sharing	Currently not natively supported	Box.com
Brocade	SAN Switch	SNMP: OS, Hardware	SNMP: CPU, Memory, Interface utilization	Currently not natively supported	Currently not natively supported	Brocade SAN Switch
Brocade	ServerIron ADX switch	SNMP: Host name, serial number, hardware	SNMP: Uptime, CPU, Memory, Interface Utilization, Hardware status, Real Server Statistics	Currently not natively supported	Currently not natively supported	Brocade ADX
Brocade	NetIron CER Switches	SNMP: Host name, serial number, hardware	SNMP: Uptime, CPU, Memory, Interface Utilization, Hardware status, Real Server Statistics	Currently not natively supported	Currently not natively supported	Brocade NetIron CER Routers
CentOS / Other Linux distributions	Linux	SNMP: OS, Hardware, Software, Processes, Open Ports SSH: Hardware details, Linux distribution	SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start, Port up/down SSH: Disk I/O, Paging	Syslog: Situations covering Authentication Success/Failure, Privileged logons, User/Group Modification SSH: File integrity monitoring, Command output monitoring, Target file monitoring AccelOps LinuxFileMon Agent: File integrity monitoring	SSH: File integrity monitoring, Target file monitoring Agent: File integrity monitoring	Linux Server
CentOS / Other Linux distributions	DHCP Server	Currently not natively supported	Currently not natively supported	Syslog: DHCP activity (Discover, Offer, Request, Release etc) – Used in Identity and Location	Not Applicable	Linux DHCP
Checkpoint	FireWall-1 versions NG, FP1, FP2, FP3, AI R54, AI R55, R65, R70, R77, NGX, and R75	SNMP: OS, Hardware	SNMP: CPU, Memory, Interface utilization	LEA from SmartCenter or Log Server: Firewall Log, Audit trail, over 940 IPS Signatures	LEA: Firewall Audit trail	Check Point Provider-1 Firewall
Checkpoint	Provider-1 versions NG, FP1, FP2, FP3, AI R54, AI R55, R65, R70, R77, NGX, and R75	Currently not natively supported	Currently not natively supported	LEA: Firewall Log, Audit trail	LEA: Firewall Audit trail	Check Point Provider-1
Checkpoint	VSX	SNMP: OS, Hardware	SNMP: CPU, Memory, Interface utilization	LEA from SmartCenter or Log Server: Firewall Log, Audit trail	LEA: Firewall Audit trail	Check Point Provider-1
Citrix	NetScaler Application Delivery Controller	SNMP: OS, Hardware	SNMP: CPU, Memory, Interface utilization, Hardware Status, Application Firewall metrics	Syslog: Over 465 event types covering admin activity, application firewall events, health events	Currently not natively supported	Citrix Netscaler
Citrix	ICA	SNMP: Process Utilization	SNMP: Process Utilization WMI: ICA Session metrics	Currently not natively supported	Currently not natively supported	Citrix ICA
Cisco	ASA Firewall (single and multi-context) version 7.x and later	SNMP: OS, Hardware SSH: interface security level needed for parsing traffic logs, Configuration	SNMP: CPU, Memory, Interface utilization, Firewall Connections, Hardware Status	Syslog: Over 1600 event types parsed for situations covering admin access, configuration change, traffic log, IPS activity NetFlow V9: Traffic log	SSH: Running config, Startup config	Cisco ASA

 

Cisco	PIX Firewall	SNMP: OS, Hardware SSH: interface security level needed for parsing traffic logs, Configuration	SNMP: CPU, Memory, Interface utilization, Connections, Hardware Status	Syslog: Over 1600 event types parsed for situations covering admin access, configuration change, traffic log, IPS activity	SSH: Running config, Startup config	Cisco ASA
Cisco	FWSM	SNMP: OS, Hardware SSH: interface security level needed for parsing traffic logs, Configuration	SNMP: CPU, Memory, Interface utilization, Connections, Hardware Status	Syslog: Over 1600 event types parsed for situations covering admin access, configuration change, traffic log, IPS activity	SSH: Running config, Startup config	Cisco ASA
Cisco	IOS based Routers and Switches	SNMP: OS, Hardware SSH: configuration, running process, Layer 2 connectivity	SNMP: CPU, Memory, Interface utilization, Hardware Status SNMP: IP SLA metrics SNMP: BGP metrics, OSPF metrics SNMP: Class based QoS metrics SNMP: NBAR metrics	Syslog: Over 200 event types parsed for situations covering admin access, configuration change, interface up/down, BGP interface up/down, traffic log, IPS activity NetFlow V5, V9: Traffic logs	SSH: Running config, Startup config	Cisco IOS
Cisco	CatOS based Switches	SNMP: OS, Hardware (Serial Number, Image file, Interfaces, Components) SSH: configuration running process	SNMP: CPU, Memory, Interface utilization, Hardware Status	Syslog: Over 700 event types parsed for situations covering admin access, configuration change, interface up/down, BGP interface up/down, traffic log, IPS activity NetFlow V5, V9: Traffic logs	SSH: Running config, Startup config	Cisco IOS
Cisco	Nexus OS based Routers and Switches	SNMP: OS, Hardware SSH: configuration running process, Layer 2 connectivity	SNMP: CPU, Memory, Interface utilization, Hardware Status SNMP: IP SLA metrics, BGP metrics, OSPF metrics, NBAR metrics SNMP: Class based QoS metrics	Syslog: Over 3500 event types parsed for situations covering admin access, configuration change, interface up/down, BGP interface up/down, traffic log, hardware status, software and hardware errors NetFlow V5, V9: Traffic logs	SSH: Running config, Startup config	Cisco NX-OS
Cisco	300 Series Switches (SF 300, SG300/350 etc)	SNMP: OS, Hardware	SNMP: Interface utilization,	Currently not natively supported	Currently not natively supported	Cisco 300 Series Routers
Cisco	ONS	SNMP: OS, Hardware		SNMP Trap: Availability and Performance Alerts		Cisco NX-OS
Cisco	ACE Application Firewall	SNMP: OS, Hardware
Cisco	UCS Server	UCS API: Hardware components processors, chassis, blades, board, cpu, memory, storage, power supply unit, fan unit	UCS API: Chassis Status, Memory Status, Processor Status, Power Supply status, Fan status	Syslog: Over 500 event types parsed for situations covering hardware errors, internal software errors etc	Currently not natively supported	Cisco UCS
Cisco	WLAN Controller and Access Points	SNMP: OS, Hardware, Access Points	SNMP: Controller CPU, Memory, Interface utilization, Hardware Status SNMP: Access Point Wireless Channel utilization, noise metrics, user count	SNMP Trap: Over 88 event types parsed for situations covering Authentication, Association, Rogue detection, Wireless IPS events	Currently not natively supported	Cisco Wireless LAN
Cisco	Call Manager	SNMP: OS, Hardware, VoIP Phones	SNMP: Call manager CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage SNMP: VoIP phone count, Gateway count, Media Device count, Voice mail server count  and SIP Trunks count SNMP: SIP Trunk Info, Gateway Status Info, H323 Device Info, Voice Mail Device Info, Media Device Info, Computer Telephony Integration (CTI) Device Info	Syslog: Over 950 messages from Cisco Call Manager as well as Cisco Unified Real Time Monitoring Tool (RTMT) CDR Records, CMR Records: Call Source and Destination, Time, Call Quality metrics (MOS Score, Jitter, latency)	Currently not natively supported	Cisco Call Manager

 

Cisco	Contact Center	SNMP: OS, Hardware	SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage, Install software change	Currently not natively supported – Custom parsing needed	Currently not natively supported	Cisco Contact Center
Cisco	Presence Server	SNMP: OS, Hardware	SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage, Install software change	Currently not natively supported – Custom parsing needed	Currently not natively supported	Cisco Presence Server
Cisco	Tandeberg Tele-presence Video Communication Server (VCS)	SNMP: OS, Hardware	SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage, Install software change	Currently not natively supported – Custom parsing needed	Currently not natively supported	Cisco Tandeberg Telepresence VCS
Cisco	Tandeberg Tele-presence Multiple Control Unit (MCU)	SNMP: OS, Hardware	SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage, Install software change	Currently not natively supported – Custom parsing needed	Currently not natively supported	Cisco Telepresence MCU
Cisco	Unity Connection	SNMP: OS, Hardware	SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage, Install software change	Currently not natively supported – Custom parsing needed	Currently not natively supported	Cisco Unity
Cisco	IronPort Mail Gateway	SNMP: OS, Hardware	SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage, Install software change	Syslog: Over 45 event types covering mail scanning and forwarding status	Currently not natively supported	Cisco IronPort Mail
Cisco	IronPort Web Gateway	SNMP: OS, Hardware	SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage, Install software change	W3C Access log (Syslog): Over 9 event types covering web request handling status	Currently not natively supported	Cisco IronPort Web
Cisco	Cisco Network IPS Appliances	SNMP: OS, Hardware	SNMP: CPU, Memory, Disk Interface utilization, Hardware Status	SDEE: Over 8000 IPS signatures	Currently not natively supported	Cisco NIPS
Cisco	Sourcefire 3D and Defense Center	SNMP: OS, Hardware				Sourcefire 3D and Defense Center
Cisco	FireSIGHT Console			eStreamer SDK: Intrusion events, Malware events, File events, Discovery events, User activity events, Impact flag events		Cisco FireSIGHT
Cisco	Cisco Security Agent	SNMP or WMI: OS, Hardware	SNMP or WMI: Process CPU and memory utilization	SNMP Trap: Over 25 event types covering Host IPS behavioral signatures.	Currently not natively supported	Cisco CSA
Cisco	Cisco Access Control Server (ACS)	SNMP or WMI: OS, Hardware	SNMP or WMI: Process CPU and memory utilization	Syslog: Passed and Failed authentications, Admin accesses	Currently not natively supported	Cisco ACS
Cisco	VPN 3000	SNMP: OS, Hardware	SNMP: CPU, Memory, Interface utilization	Syslog: Successful and Failed Admin Authentication, VPN Authentication, IPSec Phase 1 and Phase 2 association, VPN statistics	Currently not natively supported	Cisco VPN 3000
Cisco	Meraki Cloud Controllers	SNMP: OS, Hardware, Meraki devices reporting to the Cloud Controller	SNMP: Uptime, Network Interface Utilization SNMP Trap: Various availability scenarios	Currently not natively supported – Custom parsing needed	Currently not natively supported	Cisco Meraki Cloud Controller and Network Devices
Cisco	Meraki Firewalls	SNMP: OS, Hardware	SNMP: Uptime, Network Interface Utilization	Syslog: Firewall log analysis	Currently not natively supported	Cisco Meraki Cloud Controller and Network Devices
Cisco	Meraki Routers/Switches	SNMP: OS, Hardware	SNMP: Uptime, Network Interface Utilization		Currently not natively supported	Cisco Meraki Cloud Controller and Network Devices
Cisco	Meraki WLAN Access Points	SNMP: OS, Hardware	SNMP: Uptime, Network Interface Utilization		Currently not natively supported	Cisco Meraki Cloud Controller and Network Devices
Cisco	MDS Storage Switch	SNMP: OS, Hardware	SNMP: CPU, Memory, Interface utilization, Hardware Status	Currently not natively supported – Custom parsing needed	Currently not natively supported
Cisco	Network Control Manager (NCM)			Syslog: Network device software update, configuration analysis for compliance, admin login		Cisco Network Compliance Manager

 

Cisco	Wide Area Application Services (WAAS)	SNMP: Host name, Version, Hardware model, Network interfaces	SNMP: CPU, Memory, Interface utilization, Disk utilization, Process cpu/memory utilization			Cisco WAAS
Cisco	Application Centric Infrastructure (ACI)	Not Applicable	Not Applicable	Cisco APIC API: Faults, Events, Configuration Changes, Node/Tenant/Cluster/Application/EPG/Overall health		Cisco Application Centric Infrastructure (ACI) Configuration
Clavister	Clavister IP
Cylance	Cylance Protect Endpoint Protection			Syslog: Endpoint protection alerts		Cylance Protect
Cyphort	Cyphort Cortex Endpoint Protection			Syslog: Endpoint protection alerts		Cyphort Cortex
Dell	SonicWall Firewall	SNMP: OS, Hardware	SNMP: CPU, Memory, Interface utilization, Firewall session count	Syslog: Firewall log analysis (over 1000 event types)	Currently not natively supported	Dell SonicWALL
Dell	Force10 Router and Switch	SNMP: OS, Hardware	SNMP: CPU, Memory, Interface utilization, Interface Status, Hardware Status		SSH: Running config, Startup config	Dell Force10
Dell	NSeries Router and Switch	SNMP: OS, Hardware	SNMP: CPU, Memory, Interface utilization, Hardware Status		SSH: Startup config	Dell NSeries
Dell	PowerConnect Router and Switch	SNMP: OS, Hardware	SNMP: CPU, Memory, Interface utilization, Hardware Status		SSH: Startup config	Dell PowerConnect
Dell	Dell Hardware on Intel-based Servers	SNMP: Hardware	SNMP: Hardware Status: Battery, Disk, Memory, Power supply, Temperature, Fan, Amperage, Voltage		Currently not natively supported.
Dell	Compellent Storage	SNMP: OS, Hardware	SNMP: Network Interface utilization, Volume utilization, Hardware Status (Power, Temperature, Fan)		Currently not natively supported.	Dell Compellant
Dell	EqualLogic Storage	SNMP: OS, Hardware (Network interfaces, Physical Disks, Components)	SNMP: Uptime, Network Interface utilization SNMP: Hardware status: Disk, Power supply, Temperature, Fan, RAID health SNMP: Overall Disk health metrics: Tot al disk count, Active disk count, Failed disk count, Spare disk count SNMP: Connection metrics: IOPS, Throughput SNMP: Disk performance metrics: IOPS,  Throughput SNMP: Group level performance metrics: Storage, Snapshot		Currently not natively supported.	Dell EqualLogic
EMC	Clariion Storage	Naviseccli: Host name, Operating system version, Hardware model, Serial number, Network interfaces, Installed Software, Storage Controller Ports Naviseccli: Hardware components, RAID Groups and assigned disks, LUNs and LUN -> RAID Group mappings, Storage Groups and memberships	Naviseccli: Storage Processor utilization, Storage Port I/O, RAID Group I/O, LUN I/O, Host HBA Connectivity, Host HBA Unregistered Host, Hardware component health, Overall Disk health, Storage Pool Utilization		Currently not natively supported.	EMC Clarion

 

EMC	VNX Storage	Naviseccli: Host name, Operating system version, Hardware model, Serial number, Network interfaces, Installed Software, Storage Controller Ports Naviseccli: Hardware components, RAID Groups and assigned disks, LUNs and LUN -> RAID Group mappings, Storage Groups and memberships	Naviseccli: Storage Processor utilization, Storage Port I/O, RAID Group I/O, LUN I/O, Host HBA Connectivity, Host HBA Unregistered Host, Hardware component health, Overall Disk health, Storage Pool Utilization			EMC VNX
EMC	Isilon Storage	SNMP: Host name, Operating system, Hardware (Model, Serial number, Network interfaces, Physical Disks, Components	SNMP: Uptime, Network Interface metrics SNMP: Hardware component health: Disk, Power supply, Temperature, Fan, Voltage SNMP: Cluster membership change, Node health and performance (CPU, I/O), Cluster health and performance, Cluster Snapshot, Storage Quota metrics, Disk performance, Protocol performance			EMC Isilon
EMC	Data Domain	SNMP: Host name, Operating system, Hardware (Model, Serial number, Network interfaces, Physical Disks	SNMP: Interface utilization, Hardware Status SNMP: Overall Storage metrics: replication metrics, disk I/O, NFS metrics, CIFS metrics SNMP: Individual disk metrics: disk I/O, disk utilization, disk status	Currently not natively supported – Custom parsing needed	Currently not natively supported
ESET	Nod32 Anti-virus	Application type discovery via LOG		Syslog (CEF format): Virus found/cleaned type of events		ESET NOD32
FireEye	Malware Protection System (MPS)	Application type discovery via LOG		Syslog (CEF format): Malware found/cleaned type of events		FireEye MPS
FireEye	HX Appliances for Endpoint protection	Application type discovery via LOG		Syslog (CEF format): Malware Acquisition, Containment type of events
F5 Networks	Application Security Manager	Discovery via LOG		Syslog (CEF Format); Various application level attack scenarios – invalid directory access, SQL injections, cross site exploits		F5 Application Security Manager
F5 Networks	Local Traffic Manager	SNMP: Host name, Operating system, Hardware (Model, Serial number, Network interfaces, Physical Disks), Installed Software, Running Software	SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start	SNMP Trap: Exception situations including hardware failures, certain security attacks, Policy violations etc Syslog: Permitted and Denied Traffic		F5 Networks Local Traffic Manager
F5 Networks	Web Accelerator	Discovery via LOG		Syslog: Permitted Traffic		F5 Networks Web Accelerator
Fortinet	FortiGate firewalls	SNMP: OS, Host name, Hardware (Serial Number, Interfaces, Components)	SNMP: Uptime, CPU and Memory utilization, Network Interface metrics	Syslog: Over 3700 Traffic and system logs	SSH: Running config, Startup config	Fortinet FortiGate
Fortinet	FortiManager	SNMP: Host name, Hardware model, Network interfaces, Operating system version	SNMP: Uptime, CPU and Memory utilization, Network Interface metrics			FortiManager

 

Fortinet	FortiMail Mail Gateway	Discovery via LOG	Currently not supported	Syslog: Over 120 event types covering admin logons, configuration changes, restarts, operational errors, malware and virus, spam	Currently not natively supported	Fortinet FortiWeb
Fortinet	FortiWeb Web Gateway	SNMP: OS, Host name, Hardware (Serial Number, Interfaces)	SNMP: Uptime, CPU and Memory utilization, Network Interface metrics	Syslog: Over 450 event types covering admin logons, configuration changes, restarts, operational errors, Web attacks, HTTP Protocol anomaly	Currently not natively supported	Fortinet FortiWeb
Fortinet	FortiSandbox	SNMP: OS, Host name, Hardware (Serial Number, Interfaces)	SNMP: Uptime, CPU and Memory utilization, Network Interface metrics, Disk	Syslog: Event types covering malware, network attacks and system events	Currently not natively supported	Fortinet FortiSandbox Configuration
Fortinet	FortiDDoS	Discovery via LOG	Currently not supported	Syslog: Over 160 event types covering admin logons, configuration changes, restarts, operational errors, traffic anomaly, DDoS attacks	Currently not natively supported	FortiDDoS
Foundry Networks	IronWare Router and Switch	SNMP: OS, Hardware SSH: configuration, running process	SNMP: Uptime, CPU, Memory, Interface utilization, Hardware Status	Syslog: Over 6000 event types parsed for situations covering admin access, configuration change, interface up/down	SSH: Running config, Startup config	Foundry Networks IronWare
Google	Google Apps	Not Applicable	Not Applicable	Google Apps Admin SDK: Over 200 event types parsed for situations covering login, file access, user/group creation/modification, file creation/modifications	Not Applicable	Google Apps Audit Configuration
Huawei	VRP Router and Switch	SNMP: OS, Hardware SSH: configuration, running process, Layer 2 connectivity	SNMP: Uptime, CPU, Memory, Interface utilization, Hardware Status	Syslog: Over 30 event types parsed for situations covering admin access, configuration change, interface up/down	SSH: Running config, Startup config
HP	BladeSystem	SNMP: Host name, Access IP, Hardware components	SNMP: hardware status			HP BladeSystem
HP	HP-UX servers	SNMP: OS, Hardware	SNMP: Uptime, CPU, Memory, Network Interface, Disk space utilization, Network Interface Errors, Running Process Count, Running process CPU/memory utilization, Running process start/stop SNMP: Installed Software change SSH : Memory paging rate, Disk I/O utilization			HP UX Server
HP	HP Hardware on Intel-based Servers	SNMP: hardware model, hardware serial, hardware components (fan, power supply, battery, raid, disk, memory)	SNMP: hardware status	SNMP Trap: Over 100 traps covering hardware issues
HP	TippingPoint UnityOne IPS	SNMP: OS, Hardware	SNMP: Uptime, CPU, Memory, Network Interface,  Network Interface Errors	Syslog: Over 4900 IPS alerts directly or via NMS		TippingPoint IPS
HP	ProCurve Switches and Routers	SNMP: OS, hardware model, hardware serial, hardware components SSH: configuration	SNMP: Uptime, CPU, Memory, Network Interface,  Network Interface Errors SNMP: hardware status		SSH: Running config, Startup config	HP ProCurve
HP	Value Series (19xx) Switches and Routers	SNMP: OS, hardware model, hardware serial, hardware components SSH: configuration	SNMP: Uptime, CPU, Memory, Network Interface,  Network Interface Errors		SSH: Startup config	HP Value Series (19xx) and HP 3Com (29xx) Switch

 

HP	3Com (29xx) Switches and Routers	SNMP: OS, hardware model, hardware serial, hardware components SSH: configuration	SNMP: Uptime, CPU, Memory, Network Interface,  Network Interface Errors		SSH: Startup config	HP Value Series (19xx) and HP 3Com (29xx) Switch
HP	HP/3Com Comware Switches and Routers	SNMP: OS, hardware model, hardware serial, hardware components SSH: configuration	SNMP: Uptime, CPU, Memory, Network Interface,  Network Interface Errors SNMP: hardware status	Syslog: Over 6000 vent types parsed for situations covering admin access, configuration change, interface up/down and other hardware issues and internal errors	SSH: Startup config	HP/3Com ComWare
IBM	Websphere Application Server	SNMP or WMI: Running processes	HTTP(S): Generic Information, Availability metrics, CPU / Memory metrics, Servlet metrics, Database pool metrics, Thread pool metrics, Application level metrics, EJB metrics			IBM WebSphere
IBM	DB2 Database Server	SNMP or WMI: Running processes	JDBC: Database Audit trail: Log on, Database level and Table level CREATE/DELETE/MODIFY operations			IBM DB2
IBM	ISS Proventia IPS Appliances			SNMP Trap: IPS Alerts: Over 3500 event types		IBM ISS Proventia
IBM	AIX Servers	SNMP: OS, Hardware, Installed Software, Running Processes, Open Ports SSH: Hardware details	SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start, Port up/down SSH: Disk I/O, Paging	Syslog: General logs including Authentication Success/Failure, Privileged logons, User/Group Modification		IBM AIX
IBM	OS 400 (including iSeries)			Syslog via PowerTech Agent: Over 560 event types Syslog via Townsend Agent		IBM OS400
IBM	Guardium Database Firewall
Intel/McAfee	McAfee Sidewinder Firewall	SNMP: OS, Hardware, Installed Software, Running Processes	SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start	Syslog: Firewall logs		McAfee Firewall Enterprise (Sidewinder)
Intel/McAfee	McAfee ePO	SNMP: Related process name and parameters	SNMP: Process resource utilization	SNMP Trap: Over 170 event types		McAfee ePolicy Orchestrator (ePO)
Intel/McAfee	Intrushield IPS	SNMP: OS, Hardware	SNMP: Hardware status	Syslog: IPS Alerts		McAfee IntruShield
Intel/McAfee	Stonesoft IPS (now called Forcepoint)			Syslog: IPS Alerts		McAfee Stonesoft
Intel/McAfee	Web Gateway			Syslog: Web server log		McAfee Web Gateway
Intel/McAfee	Foundstone Vulnerability Scanner			JDBC: Vulnerability data		McAfee Foundstone Vulnerability Scanner
Infoblox	DNS/DHCP Appliance	SNMP: OS, Hardware, Installed Software, Running Processes	SNMP: Zone transfer metrics, DNS Cluster Replication metrics, DNS Performance metrics, DHCP Performance metrics, DDNS Update metrics, DHCP subnet usage metrics SNMP: Hardware Status SNMP Trap: Hardware/Software Errors	Syslog: DNS logs – name resolution activity success and failures		Infoblox DNS/DHCP
ISC	Bind DNS			Syslog: DNS logs – name resolution activity success and failures		ISC BIND DNS

 

Juniper	JunOS Router/Switch	SNMP: OS, Hardware SSH: Configuration	SNMP: CPU, Memory, Disk, Interface utilization, Hardware Status	Syslog: Over 1420 event types parsed for situations covering admin access, configuration change, interface up/down and other hardware issues and internal errors	SSH: Startup configuration	Juniper Networks JunOS
Juniper	SRX Firewalls	SNMP: OS, Hardware SSH: Configuration	SNMP: CPU, Memory, Disk, Interface utilization, Hardware Status	Syslog: Over 700 event types parsed for situations covering traffic log, admin access, configuration change, interface up/down and other hardware issues and internal errors	SSH: Startup configuration	Juniper Networks JunOS
Juniper	SSG Firewall	SNMP: OS, Hardware SSH: Configuration	SNMP: CPU, Memory, Disk, Interface utilization, Hardware Status	Syslog: Over 40 event types parsed for situations covering traffic log, admin access, configuration change, interface up/down and other hardware issues and internal errors	SSH: Startup configuration	Juniper Networks SSG Firewall
Juniper	ISG Firewall	SNMP: OS, Hardware SSH: Configuration	SNMP: CPU, Memory, Disk, Interface utilization, Hardware Status	Syslog: Over 40 event types parsed for situations covering traffic log, admin access, configuration change, interface up/down and other hardware issues and internal errors	SSH: Startup configuration	Juniper Networks SSG Firewall
Juniper	Steelbelted RADIUS	Discovered via LOG		Syslog – 4 event types covering admin access and AAA authentication		Juniper Networks Steel-Belted RADIUS
Juniper	Secure Access Gateway	SNMP: OS, Hardware	SNMP: CPU, Memory, Disk, Interface utilization	Syslog – Over 30 event types parsed for situations covering VPN login, Admin access, Configuration Change		Juniper Networks SSL VPN Gateway
Juniper	Netscreen IDP			Syslog – directly from Firewall or via NSM – Over 5500 IPS Alert types parsed		Juniper Networks IDP Series
Juniper	DDoS Secure			Syslog – DDoS Alerts		Juniper DDoS
Lantronix	SLC Console Manager			Syslog – Admin access, Updates, Commands run		Lantronix SLC Console Manager
Liebert	HVAC	SNMP: Host Name, Hardware model	SNMP: HVAC metrics: Temperature: current value, upper threshold, lower threshold, Relative Humidity: current value, upper threshold, lower threshold, System state etc			Liebert HVAC
Liebert	FPC	SNMP: Host Name, Hardware model	SNMP: Output voltage (X-N, Y-N, Z-N), Output current (X, Y. Z), Neutral Current, Ground current, Output power, Power Factor etc			Liebert FPC
Liebert	UPS	SNMP: Host Name, Hardware model	SNMP: UPS metrics: Remaining battery charge, Battery status, Time on battery, Estimated Seconds Remaining, Output voltage etc			Liebert UPS
Malwarebytes	Endpoint Protection			Syslog (CEF format): Malware detected, quarantine success and failures
Microsoft	Windows 2000, Windows 2003, Windows 2008, Windows 2008 R2, Windows 2012, Windows 2012 R2, Windows 2014, Windows 2016	SNMP: OS, Hardware (for Dell and HP), Installed Software, Running Processes WMI: OS, Hardware (for Dell and HP), BIOS, Installed Software, Running Processes, Services, Installed Patches	SNMP: CPU, Memory, Disk, Interface utilization, Process utilization WMI: SNMP: CPU, Memory, Disk, Interface utilization, Detailed CPU/Memory usage, Detailed Process utilization	WMI pulling: Security, System and Application logs AccelOps Windows Agent (HTTPS): Security, System and Application logs, File Content change Snare Agent (syslog): Security, System and Application logs Correlog Agent (syslog): Security, System and Application logs	SNMP: Installed Software Change AccelOps Windows Agent: Installed Software Change, Registry Change AccelOps Windows Agent: File Integrity Monitoring	Microsoft Windows Servers
Microsoft	DHCP Server – 2003, 2008	SNMP: Running Processes	WMI: DHCP metrics:  request rate, release rate, decline rate, Duplicate Drop rate etc	AccelOps Windows Agent (HTTPS): DHCP logs – release, renew etc Snare Agent (syslog): DHCP logs – release, renew etc Correlog Agent (syslog): DHCP logs release, renew etc		Microsoft DHCP (2003, 2008)

 

Microsoft	DNS Server – 2003, 2008	SNMP: Running Processes	WMI: DNS metrics: Requests received, Responses sent, WINS requests received, WINS responses sent, Recursive DNS queries received etc	AccelOps Windows Agent (HTTPS): DNS logs – name resolution activity Snare Agent (syslog): DNS logs – name resolution activity Correlog Agent (syslog): DNS logs – name resolution activity		Microsoft DNS (2003, 2008)
Microsoft	Domain Controller / Active Directory 2003, 2008, 2012, 2014, 2016	SNMP: Running Processes LDAP: Users	WMI: Active Directory metrics: Directory Search Rate, Read Rate, Write Rate, Browse Rate, LDAP search rate, LDAP Bind Rate etc WMI: “dcdiag -e” command output detect successful and failed domain controller diagnostic tests WMI: “repadmin /replsummary” command output – Replication statistics LDAP: Users with stale passwords, insecure password settings			Microsoft Active Directory
Microsoft	SQL Server – 2005, 2008, 2008R2, 2012, 2014	SNMP: Running Processes	SNMP or WMI: Process resource usage JDBC: General database info, Configuration Info, Backup Info, JDBC: Per-instance like Buffer cache hit ratio, Log cache hit ratio etc JDBC: per-instance, per-database Performance metrics Data file size, Log file used, Log growths etc JDBC: Locking info, Blocking info	JDBC: database error log JDBC: Database audit trail		Microsoft SQL Server
Microsoft	IIS versions	SNMP: Running Processes	SNMP or WMI: Process level resource usage WMI: IIS metrics: Current Connections, Max Connections, Sent Files, Received Files etc	AccelOps Windows Agent (HTTPS): W3C Access logs – Per instance Per Connection Sent Bytes, Received Bytes, Duration Snare Agent (syslog): W3C Access logs Correlog Agent (syslog): W3C Access logs		Microsoft IIS for Windows 2000 and 2003 Microsoft IIS for Windows 2008
Microsoft	ASP.NET	SNMP: Running Processes	SNMP or WMI: Process level resource usage WMI: Request Execution Time, Request Wait Time, Current Requests, Disconnected Requests etc			Microsoft ASP.NET
Microsoft	Internet Authentication Server (IAS)	SNMP: Running Processes	SNMP or WMI: Process level resource usage	AccelOps Windows Agent (HTTPS): AAA logs – successful and failed authentication Snare Agent (syslog): AAA logs – successful and failed authentication Correlog Agent (syslog): AAA logs successful and failed authentication		Microsoft Internet Authentication Server (IAS)
Microsoft	HyperV Hypervisor		Powershell over winexe: Guest/Host CPU usage, Memory usage, Page fault, Disk Latency, Network usage			HyperV
Microsoft	Sharepoint Server	SNMP: Running Processes	SNMP or WMI: Process level resource usage	LOGBinder Agent: SharePoint logs – Audit trail integrity, Access control changes, Document updates, List updates, Container object updates, Object changes, Object Import/Exports, Document views, Information Management Policy changes etc		Microsoft SharePoint
Microsoft	Exchange Server	SNMP: Running Processes	SNMP or WMI: Process level resource usage WMI: Exchange performance metrics, Exchange error metrics, Exchange mailbox metrics, Exchange SMTP metrics, Exchange ESE Database, Exchange Database Instances, Exchange Mail Submission Metrics, Exchange Store Interface Metrics etc			Microsoft Exchange

 

Microsoft	ISA Server	SNMP: Running Processes	SNMP or WMI: Process level resource usage	AccelOps Windows Agent (HTTPS): W3C Access logs – Per Connection – Sent Bytes, Received Bytes, Duration Snare Agent (syslog): W3C Access logs Correlog Agent (syslog): W3C Access logs		Microsoft ISA Server
Microsoft	PPTP VPN Gateway			AccelOps Windows Agent (HTTPS): VPN Access – successful and failed Snare Agent (syslog): VPN Access successful and failed Correlog Agent (syslog): VPN Access successful and failed		Microsoft PPTP
Microsoft	Office 365	Not Applicable	Not Applicable	Office365 Management Activity API: Close to 500 event types for situations covering login, file access, user/group creation/modification, file creation/modifications		Microsoft Office365 Audit Configuration
Motorola	AirDefense Wireless IDS			Syslog: Wireless IDS logs		Motorola AirDefense
Motorola	WiNG WLAN Access Point			Syslog: All system logs: User authentication, Admin authentication, WLAN attacks, Wireless link health		Motorola WLAN
Mikrotek	Mikrotech Switches and Routers	Host name, OS, Hardware model, Serial number, Components	SNMP: Uptime CPU utilization, Network Interface metrics			Mikrotek Router
NetApp	DataONTAP based Filers	SNMP: Host name, OS, Hardware model, Serial number, Network interfaces, Logical volumes, Physical Disks	SNMP: CPU utilization, Network Interface metrics, Logical Disk Volume utilization SNMP: Hardware component health, Disk health ONTAP API: Detailed NFS V3/V4, ISCSI, FCP storage IO metrics, Detailed LUN metrics, Aggregate metrics, Volume metrics, Disk performance metrics	SNMP Trap: Over 150 alerts – hardware and software alerts		NetApp Filer
Nimble	NimbleOS Storage	Host name, Operating system version, Hardware model, Serial number, Network interfaces, Physical Disks, Components	SNMP: Uptime, Network Interface metrics, Storage Disk Utilization SNMP: Storage Performance metrics: Read rate (IOPS), Sequential Read Rate (IOPS), Write rate (IOPS), Sequential Write Rate (IOPS), Read latency etc			Nimble Storage
Nessus	Vulnerability Scanner			Nessus API: Vulnerability Scan results – Scan name, Host, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulnerability CVE Id and Bugtraq Id, Vulnerability CVSS Score, Vulnerability Consequence etc		Nessus Vulnerability Scanner
Nginx	Web Server	SNMP: Application name	SNMP: Application Resource Usage	Syslog: W3C access logs: per HTTP(S) connection: Sent Bytes, Received Bytes, Connection Duration		Nginx Web Server
Nortel	ERS Switches and Routers	SNMP: Host name, OS, Hardware model, Serial number, Components	SNMP: Uptime CPU/memory utilization, Network Interface metrics/errors, Hardware Status			Nortel ERS and Passport Switch
Nortel	Passport Switches and Routers	SNMP: Host name, OS, Hardware model, Serial number, Components	SNMP: Uptime CPU/memory utilization, Network Interface metrics/errors, Hardware Status			Nortel ERS and Passport Switch
Nutanix	Controller VM	SNMP: Host name, OS, Hardware model, Serial number, Network interfaces, Physical Disks, Components	SNMP: Uptime CPU/memory utilization, Network Interface metrics/errors, Disk Status, Cluster Status, Service Status, Storage Pool Info, Container Info			Nutanix
Okta.com	SSO	Okta API: Users		Okta API: Over 90 event types covering user activity in Okta website		Okta Configuration
OpenLDAP	OpenLDAP	LDAP: Users

 

Oracle	Enterprise Database Server – 10g, 11g, 12c	SNMP or WMI: Process resource usage	JDBC: Database performance metrics: Buffer cache hit ratio, Row cache hit ratio, Library cache hit ratio, Shared pool free ratio, Wait time ratio, Memory Sorts ratio etc JDBC: Database Table space information: able space name, table space type, table space  usage, table space free space, table space next extent etc JDBC: Database audit trail: Database logon, Database operations including CREATE/ALTER/DROP/TRUNCATE operations on tables, table spaces, databases, clusters, users, roles, views, table indices, triggers etc.	Syslog: Listener log, Alert log, Audit Log		Oracle Database
Oracle	MySQL Server	SNMP or WMI: Process resource usage	JDBC: User Connections, Table Updates, table Selects, Table Inserts, Table Deletes, Temp Table Creates, Slow Queries etc JDBC: Table space performance metrics: Table space name, table space type, Character set and Collation, table space  usage, table space free space etc JDBC: Database audit trail: Database log on, Database/Table CREATE/DELETE/MODIFY operations			MySQL Server
Oracle	WebLogic Application Server	SNMP or WMI: Process resource usage	JMX: Availability metrics, Memory metrics, Servlet metrics, Database metrics, Thread pool metrics, EJB metrics, Application level metrics			Oracle WebLogic
Oracle	Glassfish Application Server	SNMP or WMI: Process resource usage	JMX: Availability metrics, Memory metrics, Servlet metrics, Session metrics, Database metrics, Request processor metrics, Thread pool metrics, EJB metrics, Application level metrics, Connection metrics			Oracle GlassFish Server
Oracle	Sun SunOS and Solaris	SNMP: OS, Hardware, Software, Processes, Open Ports SSH: Hardware details	SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start, Port up/down SSH: Disk I/O, Paging	Syslog: Situations covering Authentication Success/Failure, Privileged logons, User/Group Modification		Sun Solaris Server
Palo Alto Networks	PAN-OS based Firewall	SNMP: Host name, OS, Hardware, Network interfaces SSH: Configuration	SNMP: Uptime, CPU utilization, Network Interface metrics, Firewall connection count	Syslog: Traffic log, Threat log (URL, Virus, Spyware, Vulnerability, File, Scan, Flood and data subtypes), config and system logs	SSH: Configuration Change	Palo Alto Firewall
PulseSecure	PulseSecure VPN			Syslog: VPN events, Traffic events, Admin events		PulseSecure
Qualys	Vulnerability Scanner			Qualys API: Vulnerability Scan results – Scan name, Host, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulnerability CVE Id and Bugtraq Id, Vulnerability CVSS Score, Vulnerability Consequence etc		Qualys Vulnerability Scanner
Qualys	Web Application Firewall			syslog (JSON formatted): web log analysis		Qualys Web Application Firewall
Rapid7	NeXpose Vulnerability Scanner			Rapid7 NeXpose API: Vulnerability Scan results – Scan name, Host, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulnerability CVE Id and Bugtraq Id, Vulnerability CVSS Score, Vulnerability Consequence etc		Rapid7 NeXpose Vulnerability Scanner

 

Riverbed	Steelhead WAN Accelerators	SNMP: Host name, Software version, Hardware model, Network interfaces	SNMP: Uptime, CPU / Memory / Network Interface / Disk space metrics,  Process cpu/memory utilization SNMP: Hardware Status SNMP: Bandwidth metrics: (Inbound/Outbound  Optimized Bytes – LAN side, WAN side, Connection metrics: Optimized/Pass through / Half-open optimized connections etc) SNMP: Top Usage metrics: Top source, Top destination, Top Application, Top Talker SNMP: Peer status: For every peer: State, Connection failures, Request timeouts, Max latency	SNMP Trap: About 115 event types covering software errors, hardware errors, admin login, performance issues – cpu, memory, peer latency issues Netflow: Connection statistics		Riverbed SteelHead WAN Accelerator
Redhat	Linux	SNMP: OS, Hardware, Software, Processes, Open Ports SSH: Hardware details, Linux distribution	SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start, Port up/down SSH: Disk I/O, Paging	Syslog: Situations covering Authentication Success/Failure, Privileged logons, User/Group Modification SSH: File integrity monitoring, Command output monitoring, Target file monitoring Agent: File integrity monitoring	SSH: File integrity monitoring, Target file monitoring Agent: File integrity monitoring	Linux Server
Redhat	JBOSS Application Server	SNMP: Process level CPU/Memory usage	JMX: CPU metrics, Memory metrics, Servlet metrics, Database pool metrics, Thread pool metrics, Application level metrics, EJB metrics			Redhat JBOSS
Redhat	DHCP Server	SNMP: Process level CPU/Memory usage		Syslog: DHCP address release/renew events		Linux DHCP
Ruckus	Wireless LAN	SNMP: Controller host name, Controller hardware model, Controller network interfaces, Associated WLAN Access Points	SNMP: Controller Uptime, Controller Network Interface metrics, Controller WLAN Statistics, Access Point Statistics, SSID performance Stats			Ruckus WLAN
Snort	IPS	SNMP: Process level CPU/Memory usage		Syslog: Over 40K IPS Alerts JDBC: Over 40K IPS Alerts – additional details including TCP/UDP/ICMP header and payload in the attack packet		Snort IPS
Sophos	Sophos Endpoint Security and Control			SNMP Trap: Endpoint events including Malware found/deleted, DLP events		Sophos Endpoint Security and Control
Squid	Web Proxy	SNMP: Process level CPU/Memory usage		Syslog: W3C formatted access logs – per HTTP(S) connection: Sent Bytes, Received Bytes, Connection Duration		Squid Web Proxy
Symantec	Symantec Endpoint Protection			Syslog: Over 5000 event types covering end point protection events – malware/spyware/adware, malicious events		Symantec Endpoint Protection
Symantec	DLP
TrendMicro	Office scan			SNMP Trap: Over 30 event types covering end point protection events – malware/spyware/adware, malicious events		Trend Micro OfficeScan
TrendMicro	Intrusion Defense Firewall (IDF)			Syslog: Over 10 event types covering end point firewall events		Trend Micro IDF
TrendMicro	Deep Security Manager			Syslog: Over 10 event types covering end point protection events
Tufin	SecureTrack			Syslog: Over 10 event types covering firewall policy management events
Vasco	DigiPass			Syslog – Successful and Failed Authentications, Successful and Failed administrative logons		Vasco DigiPass

 

 

VMware	VMware ESX and VCenter	VMWare SDK: Entire VMware hierarchy and dependencies Data Center, Resource Pool, Cluster, ESX and VMs	VMWare SDK: VM level: CPU, Memory, Disk, Network, VMware tool status VMWare SDK: ESX level: CPU, Memory, Disk, Network, Data store VMWare SDK: ESX level: Hardware Status VMWare SDK: Cluster level: CPU, Memory, Data store, Cluster Status VMWare SDK: Resource pool level: CPU, Memory	VMWare SDK: Over 800 VCenter events covering account creation, VM creation, DRS events, hardware/software errors		VMware Monitoring Events
VMware	vShield			Syslog: Over 10 events covering permitted and denied connections, detected attacks
VMware	VCloud Network and Security (vCNS) Manager			Syslog: Over 10 events covering various activities
WatchGuard	Firebox Firewall			Syslog: Over 20 firewall event types		WatchGuard Firebox Firewall
Websense	Web Filter			Syslog: Over 50 web filtering events and web traffic logs		Websense Web Filter

 

 

Adding Super/Global Users to Organizations with Collectors

In multi-tenant deployments, you may need to create Super/Global users who have roles within multiple organizations. If your deployments include organizations with collectors, you must add add the users individually.

1. Log in to your Supervisor node as a Super/Global users.
2. Create the individual user as described in Adding a Single User, choosing the appropriate Default Role.
3. Select the Permitted Organizations the user is allowed to access, overriding any default role settings as necessary.
4. Click Save.

Adding Super/Global Users to Organizations without Collectors

For the organizations-without-collector case, if the Active Directory Server belongs to super-local, then the discovered users would be visible from the super-global view and any of these users can be made an FortiSIEM user. In this case the steps are

Logon as super-global

Create the user as described here – both manual and discovery-based approaches can be used

Choose the Default role

Choose the permitted organizations. And if needed, override the default role for specific organizations. In the example below, user1 is the Network Admin for every organization but System Admin for O-eng.

Adding Users to Multi-Tenant Deployments

Two kinds of admin users can be added

users belonging to a specific organization or super-local users belonging to super-global

Adding specific organization users

This can be done from the specific organization admin account or from the super global account.

Logon as an appropriate administrator – two possibilities logon as admin user for that organization or

logon as super-global and then switch user to that organization

Follow the steps for AO-VA case described here. Note that for Active Directory based discovery, the Active Directory server has to belong to that specific organization. If the Active Directory server belongs to super-local, then the users also belong to super and would not be visible for that organization.

FortiSIEM provides a short-cut to add admin users for multiple organizations in one shot

Logon as super-global

Manually create the user as described in the manual user creation mode here.

Choose the Default role

Choose the permitted organizations and also override the default role for a specific organization if needed. In the example below, user1 is the Network Admin for every organization but System Admin for O-eng.

Adding super-global users

Super-global users are often need for managing multiple organizations, and can be created from the super-global account. There are two cases depending on whether organizations have collectors or not.

For the organizations-with-collector-only case, users must be created manually.

Logon as super-global

Manually create the user as described in the manual user creation mode here

Choose the Default role

Choose the permitted organizations. Override the default role for each specific organization, if needed. In the example below, user1 is the Network Admin for every organization but System Admin for O-eng.

For the organizations-without-collector case, if the Active Directory Server belongs to super-local, then the discovered users would be visible from the super-global view and any of these users can be made an FortiSIEM user. In this case the steps are

Logon as super-global

Create the user as described here – both manual and discovery-based approaches can be used

Choose the Default role

Choose the permitted organizations. And if needed, override the default role for specific organizations. In the example below, user1 is the Network Admin for every organization but System Admin for O-eng.

Adding Users to Organizations

Adding users to organizations for multi-tenant deployments follows the same processes described in Adding Users for Enterprise Deployments, though if you want to discover users in an Active Directory server over LDAP, the Active Directory server has to belong the organization where you want to add the user.

1. Log in to your Supervisor node either as the Admin user for the organization where you want to add the user, or log in as a Super/Global user to add the user to more than one organization.
2. Create the user as described in Adding a Single User, or follow the instructions in Adding Users from Active Directory via LDAP.
3. If you have logged in as the Super/Global user, select the organizations where you want to add the user, overriding any Default Roles for the organization as necessary.

 

How Devices are Added to Organizations

When you initiate device discovery for organizations, the way in which those devices are added to organizations depends on whether you are using Collectors in your deployment.

For organizations with Collectors, discovery is carried out by the Collector, and the Collector assigns devices to the organization with which it is associated. If organizations have an overlapping IP range, deploying Collectors and assigning them to a specific IP range and organization will ensure that the device is added to the correct organization.

For organizations without Collectors, discovery is carried out by the Supervisor. In this case, the Include/Exclude IP Range you defined when you set up the organization is used to add the device to the organization.

If a device matches only one defined organization IP Range, then it is assigned to that organization

If a device matches multiple defined IP Ranges, then it is assigned to the Super organization

You can change a device’s assigned organization manually, and FortiSIEM will automatically update the Include/Exclude IP Range for that organization. This updated IP range definition will then be used in the next discovery process. However, this may create confusing IP range definitions for the organization, so you may want to re-define the organization’s IP range and rediscover devices.

Dynamic Distribution of Events per Second (EPS) across Collectors

In multi-tenant deployments, the service provider is licensed a certain amount of EPS. The service provider distributes these EPS among the various collectors during collector setup by setting the Guaranteed EPS. Because an organization can have multiple collectors, the guaranteed EPS for an organization is the sum total of guaranteed EPS for all collectors belonging to that organization. This total must be no more than the total EPS licensed to the service provider. The remaining EPS (the difference between the service provider EPS and the total EPS across all collectors), if any, is allocated to the super-local organization, the service provider’s core system, if that needs to be monitored. To monitor this system, FortiSIEM recommends creating a new organization to monitor the service’s own network, and to install another Collector to monitor that organization.

The redistribution algorithm uses three metrics for each Collector.

Guaranteed EPS	Defined during the collector configuration process while setting up an organization, FortiSIEM ensures that the collector can always send EPS at this rate. This is a constant that never changes during the operation of the algorithm, unless you edit the Collector definition.
Incoming EPS	This is the EPS that the Collector sees. This changes continuously. You can view this metric for a Collector in Admin > Collector Health.
Allocated EPS	This is the EPS that is currently allocated to the Collector by the redistribution algorithm. You can view this metric for a Collector in Admin > Collector Health.

 

Each Collector periodically reports Incoming EPS to the Supervisor, which then determines the Allocated EPS and pushes this control down to the collectors. Allocated EPS is set to Guaranteed EPS initially, but if for some Collector, Incoming EPS is greater than Allocated EPS, the Supervisor examines all Collectors and determines excess capacity as sum total of max (0,Allocated – Incoming) for all Collectors. If there is a Collector with excess capacity, its Allocated EPS is reduced and the excess amount is given to the Collector that needs the excess EPS. If the collector that gave up EPS, that is, Allocated EPS is less than Guaranteed EPS, subsequently needs the EPS, then EPS is taken away from the collectors with Allocated greater than Guaranteed and given back. This continuous readjustment is centrally coordinated by the Supervisor node.

 

 

Deleting Organizations

1. Log into your Supervisor node as a Super/Global user.
2. Go to Admin > Setup Wizard > Organizations.
3. Write down the ID of the organization you want to delete.
4. Go to Admin > Collector Health.

Note the IP Address and Collector Name of any Collectors associated with the organization you want to delete.

5. Log out of your Supervisor node.
6. SSH into the Collector hosts for the organization as root.
7. Using phTools, stop the Collector processes.
8. Power down the Collector.
9. Log back into your Supervisor node as an Admin user for the organization you want to delete.
10. Go to CMDB > Devices.
11. Delete all devices in both the Device View and the VM View.
12. Go to CMDB > Device View > Users, and delete all users except for the default admin account under which you are currently logged in.
13. Go to Admin > Setup Wizard > Synthetic Transaction Monitoring and delete all STM tests.
14. Log out of your Supervisor node, and then log back in as the Super/Global user.
15. Go to Admin > Collector Health.
16. Delete the organization’s Collectors.

Issues with Deleting Collectors Because of In-Memory Processes

You may encounter issues with deleting Collectors if there are processes in memory on the Supervisor that are related to Collector status that are updated to the CMDB. If you encounter these issues, please contact FortiSIEM Support.

17. Delete the organization.
18. Log out of your Supervisor node.
19. SSH into the Supervisor host machine as root.
20. In the /data directory, delete the eventdb database for that organization.

Finding the Right EventDB Database

You can tell which EventDB belongs to the organization you want to delete based on the organization ID that you wrote down in Step 3. For example, if the organization ID is 2005, you would look for /data/eventdb/CUSTOMER_2005 as the database to delete. Be careful that you don’t delete the EventDB for a continuing organization.

 

Managing Organizations for Multi-Tenant Deployments

Organizations can be created with or without Collectors. If you are using Collectors in a clustered deployment that includes Workers, please make sure you have followed the instructions in Configuring Worker Settings before you have registered your Collectors with the Supervisor in order to make sure your Collectors properly upload information to the Workers.

1. Log in to your Supervisor node as a Super/Global users.
2. Go to Admin > Setup Wizard > Organization.
3. Click Add.
4. Enter information for the organization.
5. If your organization uses Collectors, click New under
6. Complete the Collector information.

For Guaranteed EPS, enter the events per second from this collector that FortiSIEM will accept. See the topic Dynamic Distribution of Events per Second (EPS) across Collectors for more information. For Start Time and End Time, enter the dates for which the Collector license is valid.

7. Click Save.
8. For Max Devices, enter the maximum number of devices discovered by this collector that the system will accept.
9. Click Save.

Configuring FortiSIEM

Initial System Configuration

Before you can initiate discovery and monitoring of your IT infrastructure, you will need to configure several general settings, add users, and add organizations for multi-tenant deployments.

Setting Up the Email Gateway

Before you can set up notifications, you have to set up the email gateway that your system will use for all alerts and system notifications.

1. Log into your Supervisor node.
2. Go to Admin > General Settings > Email Settings.
3. Enter the Email Gateway Server.
4. Enter any additional account or connection information.
5. Click Save.

Setting Up Routing Information for Reports and Incident Notifications

Topics in this section describe how to set up email addresses to send alerts to when a scheduled report runs, and distribution information for notifications associated with incidents. You can also automate the sending of tickets to a Remedy system when an incident occurs. These are all general settings, in that you don’t need to have any rules or reports defined before you configure them. For information on configuring specific notification policies for rules and incidents, see Incident Notifications. For information on configuring Remedy to work with FortiSIEM notifications, see Configuring Remedy to Accept Incident Notifications from FortiSIEM.

Setting Up Email Alert Routing for Scheduled Reports

Setting Up SNMP Traps for Incident Notifications

Setting Up XML Message Routing for Incident Notifications

Setting Up Routing for Remedy Tickets

Related Links

Scheduling Reports

Incident Notifications

Configuring Remedy to Accept Incident Notifications from FortiSIEM

 

Setting Up Email Alert Routing for Scheduled Reports

You can schedule reports to run and send email notifications to specific individuals. This setting is for default email notifications that will be sent when any scheduled report completes.

1. Log into your Supervisor node.
2. Go to Admin > General Settings > Analytics.
3. Click +.

If you haven’t configured your email gateway yet, you will see an error message.

4. Select SMS or Email for the delivery method.
5. Enter the email address or SMS number.
6. Click OK.
7. Click Save All when you are done.

Sending Alerts to the Console

Select Send an alert to console if you also want to send alerts to the console. Alerts are always displayed in the Incidents tab, while the alerts sent to the console are immediately displayed but without any grouping by rule name, incident source, incident target, or other detail information.

Empty Reports

Sometimes a report may be empty because there are no matching events. If you don’t want to send empty reports to users, select Do not send scheduled emails if report is empty. If you are running a multi-tenant deployment, and you select this option while in the Super/Global view, this will apply only to Super/Global reports. If you want to suppress delivery of empty reports to individual organizations, you will have to configure this option in the organizational view.

Related Links

Setting Up the Email Gateway Scheduling Reports

Setting Up SNMP Traps for Incident Notifications

You can define SNMP traps that will be notified when an event triggers an incident.

1. Log in to your Supervisor node.
2. Go to Admin > General Settings > Analytics.
3. Enter the SNMP Trap IP Address.
4. Enter the SNMP Community String that will authorize sending the trap to the SNMP trap IP address.
5. Select the SNMP Trap Type.
6. Select a Protocol.
7. Click Test SNMP to check the connection.
8. Click Save All.

Related Links

Incident Notifications

 

Setting Up XML Message Routing for Incident Notifications

You can configure FortiSIEM to send an XML message over HTTP(s) when an a incident is triggered by a rule.

1. Log in to your Supervisor.
2. Go to Admin > General Settings > Analytics.
3. For HTTP(S) Server URL, enter the URL of the remote host where the message should be sent.
4. Enter the Username and Password to use when logging in to the remote host, and then Reconfirm the password.
5. Click Test HTTP to check the connection.
6. Click Save All.

Setting Up Routing for Remedy Tickets

You can set up Remedy to accept notifications from FortiSIEM and generate tickets from those notifications, as described in Configuring Remedy to Accept Incident Notifications from FortiSIEM. These instructions explain how to set up the routing to your Remedy server.

1. Log in to your Supervisor node.
2. Go to Admin > General Settings > Analytics.
3. For WSDL, enter the URL of the Remedy Server.
4. Enter the Username and Password associated with your Remedy server, and then Reconfirm the password.
5. Click Test Remedy to test the connection.
6. Click Save All.

Related Links

Configuring Remedy to Accept Incident Notifications from FortiSIEM

Setting Up User Roles

FortiSIEM has a wide operational scope – it provides performance, availability, and environmental alerts, as well as change and security monitoring for network devices, servers and applications. It is difficult for one admin to monitor across the entire spectrum of available information. In addition, devices may be in widely distributed geographical and administratively disjointed locations. Role-based access control provides a way to partition the FortiSIEM administrative reponsibilities across multiple admins.

A role defines two aspects of a user’s interaction with the FortiSIEM platform:

Which user interface elements a user can see and the ability to use the associated Read/Write/Execute permissions. As an example, the built-in Executive role can see only the dashboard, while the Server Admin role cannot see network devices. Role permissions can be defined to the attribute level in which, for example, a Tier1 Network Admin role can see network devices but not their configurations.

What data can the user see. For example, consider a Windows Admin role and a Unix Admin role. They both can run the same reports, but the Windows admins sees only logs from Windows devices. This definition can also be fine-grained, for example one Windows admin sub-role can be defined to see Windows performance metrics, while another Windows admin sub-role can see Windows authentication logs.

Topics in this section explain how to use the Default roles that come with FortiSIEM, and how to define new ones.

Default Roles

Creating Custom User Roles

 

Default Roles

To perform any action with FortiSIEM, a user must be assigned a role with the required permissions. The roles listed in this table are default roles. You can create custom roles and permissions by following the instructions in the topic Creating Custom User Roles.

Role	Permissions
Full Admin	Full access to the GUI and full access to the data. Only this role can define roles, create users and map users to roles.
Network Admin	Full access to the network device portion of the GUI and full access to logs from network devices
System Admin	Full access to the Server/Workstation/Storage part of the GUI and full access to logs from those devices
Server Admin	Full access to the Server part of the GUI and full access to logs from those devices
Windows Server Admin	Full access to the Windows Server part of the GUI and full access to logs from those devices
Unix Server Admin	Full access to the Unix Server part of the GUI and full access to logs from those devices
Security Admin	Full access to Security aspects of all devices
Storage Admin	Full access to the Storage device part of the GUI and full access to logs from those devices
DB Admin	Full access to the database servers part of the GUI and full access to logs from those devices
Helpdesk	Access to the Admin, CMDB, and Dashboard tabs, with view and run permissions for the the Analytics and Incidents tabs
Read Only Admin	View access to all tabs and permission to run reports
Executive	View access to the Business Service dashboard and personalized My Dashboard tabs, but reports can be populated by logs from any device

 

 

Creating Custom User Roles

1. Log in to your Supervisor node.
2. Go to Admin > Role Management.
3. Click New.
4. Enter a Role Name and Role Description.
5. Enter the Data Conditions for this role.

This restricts access to the event/log data that is available to the user, and will be appended to any query that is submitted by users with this role. This applies to both Real-Time and Historical searches, as well as Report and Dashboard information.

6. Enter the CMDB Report Conditions for this role.

This restricts access to the reports for devices, users, and monitors that are available to the user with this role.

7. Select the UI Access Conditions for this role.

This defines the user interface elements that can be accessed by users with this role. By default, child nodes in the tree inherit the permissions of their immediate parent, however you can override those default permissions by explicitly editing the permission of the child node. Options for these settings are:

Setting	Description
Full	No access restrictions
Edit	The role can make changes to the UI element
Run	The role can execute processes for the UI element
View	The role can only view the UI element
Hide	The UI element is hidden from the role

Adding Users for Enterprise Deployments

Adding users to enterprise deployments involves first deciding if you are going to use external authentication, or local authentication credentials defined within each user profile. You can then add users on an individual basis, or, if you are using LDAP authentication, you can discover users within Active Directory over LDAP. For mutt-tenant deployments you can add individual users to an organization as described in these topics, but if you need to add users who have a role in more than one organization (Global users), see the topics under Adding Users to Multi-Tenant Deployments.

Setting Up External Authentication

Adding a Single User

Adding Users from Active Directory via LDAP

Adding Users from Okta

Adding 2-factor Authentication via Duo Security

Setting Up External Authentication

You have three options for setting up external authentication for your FortiSIEM deployment. The first option, LDAP, is discussed in detail in Addin g Users from Active Directory via LDAP. The other options, RADIUS and Okta, follow the same authentication set up process.

2. Go to Admin > General Settings > External Authentication.
3. Click Add.
4. If you are setting up authentication for an organization within a multi-tenant deployment, select the Organization.
5. Select the Protocol.
6. Complete the protocol settings.

Protocol	User-Defined Settings
LDAP	Access IP Select Set DN Pattern to open a text field in which you can enter the DN pattern if you want to override the discovered pattern, or you want to add a specific LDAP user. See Adding Users from Active Directory via LDAP for more information about configuration settings for LDAP.
RADIUS	Access IP Shared Secret Select CHAP if you are using encrypted authentication to your RADIUS server
Okta	Certificate See Configuring Okta Authentication for more information.

7. Click Test, and then enter credentials associated with the protocol you selected to make sure users can authenticate to your deployment.

You can now associate users to this authentication profile as described in Adding a Single User.

 

Configuring Okta Authentication

To use Okta authentication for your FortiSIEM deployment, you must set up a SAML 2.0 Application in Okta, and then use the certificate associated with that application when you configure external authentication.

1. Log into Okta.
2. In the Applications tab, create a new application using Template SAML 2.0 App.
3. Under General Settings, configure these settings:

Post Back URL	https:///phoenix/okta
Destination	https:///phoenix/okta
Recipient	FortiSIEM
Audience Restriction	Super
authnContextClassRef	PasswordProtectedTransport
Request	Uncompressed

4. Click Save.
5. In the Sign On tab, click View Setup Instructions.
6. Click Download Certificate.
7. Follow the instructions in Setting Up External Authentication and enter the downloaded certificate for Okta authentication.

 

Adding a Single User

1. Log in to your Supervisor node.
2. Go to CMDB > Users.
3. Click New.
4. Complete the User Name and user profile information.
5. For System Administrator, select Yes.
6. Select a Default Role for the user.

See the topic Default Roles for a list of default roles and permission. You can also create new roles as described in Creating Custom User Roles, which will be available in this menu after you create them.

7. For System Account Enabled, select Yes.
8. For Session Timeout, enter the number of minutes after which an inactive user will be logged out.
9. For User Lockout, enter the number of minutes the user will be unable to log into the system after three successive authentication failures.
10. For System Password Reset, enter the number of days after which a user’s current password for logging in to the system will automatically expire.

If left blank, the user’s password will never expire.

11. For Password, select Local or External.

If you select Local, enter and then reconfirm the user password. See Setting Up External Authentication for more information about using external authentication.

Multiple Authentication Profiles

If more than one authentication profile is associated with a user, then the servers will be contacted one-by-one until a connection to one of them is successful. Once a server has been contacted, if the authentication fails, the process ends, and the user is notified that the authentication failed.

 

12. Click Save.

Related Links

Default Roles

Creating Custom User Roles

Adding Users from Active Directory via LDAP

If you want to add users to your FortiSIEM deployment from an Active Directory server over LDAP, you must first add the login credentials for your server and associate them to an IP range, and then run the discovery process on the Active Directory server. If the server is discovered successfully, then all the users in that directory will be added to your deployment. You then need to set up an authentication profile, which will become an option you can associate with users as described in Adding a Single User.

Create Login Credentials and Associate with an IP Address

1. Log in to your Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. Enter a Name.
4. For Device Type, select Microsoft Windows.
5. Select your Access Protocol.

FortiSIEM supports these LDAP protocols:

Protocol	Port
LDAP	Non-secure version on port 389
LDAPS	Secure version on port 636
LDAP Start TLS	Secure version on port 389

6. For Used For, select Microsoft Active Directory.
7. For Base DN, be sure to enter the root of the LDAP user tree.
8. Enter the NetBIOS/Domain for your LDAP directory.
9. Enter the User Name for your LDAP directory.

For user discovery from OpenLDAP, specify the full DN as the user name. For Active Directory, use your server login name.

10. Enter and confirm the Password for your User Name.
11. Click Save.

Your LDAP credentials will be added to the list of Credentials.

12. Under Enter IP Range to Credential Associations, click Add.
13. Select your LDAP credentials from the list of Credentials.
14. Enter the IP range or host name for your Active Directory server.
15. Click OK.

Your LDAP credentials will appear in the list of credential/IP address associations.

16. Click Test Connectivity to make sure you can connect to the Active Directory server.

Discover the Active Directory Server and Users

1. Go to Admin > Discovery.
2. Click Add.
3. For Name, enter Active Directory.
4. For Include Range, enter the IP address or host name for your Active Directory server.
5. Leave all the default settings, but clear the Discover Routes
6. Click OK.

Active Directory will be added to the list of discoverable devices.

7. Select the Active Directory device and click Discover.
8. After discovery completes, go to CMDB > Users to view the discovered users.

You may need to click Refresh for the user tree hierarchy to load.

Adding Users from Okta

Create an Okta API Token

1. Log in to Okta using your Okta credentials.
2. Got to Administration > Security > API Tokens.
3. Click Create Token.

You will use this token when you set up the Okta login credentials in the next section. Note that this token will have the same permissions as the person who generated it.

Create Login Credentials and Associate Them with an IP Address

1. Log in to your Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. Enter a Name.
4. For Device Type, select com.
5. For Access Protocol, select Okta API.
6. Enter the NetBIOS/Domain associated with your Okta account.

For example, FortiSIEM.okta.com.

7. For Pull Interval, enter how often, in minutes, you want FortiSIEM to pull information from Okta.
8. Enter and reconfirm the Security Token you created.
9. Click Save.

Your LDAP credentials will be added to the list of Credentials.

10. Under Enter IP Range to Credential Associations, click Add.
11. Select your Okta credentials from the list of Credentials.
12. Enter the IP range or host name for your Okta account.
13. Click OK.

Your Okta credentials will appear in the list of credential/IP address associations.

14. Click Test Connectivity to make sure you can connect to the Active Directory server.

Discover Okta Users

1. Go to Admin > Discovery.
2. Click Add.
3. For Name, enter Okta.
4. For Include Range, enter the IP address or host name for your Active Directory server.
5. Leave all the default settings, but clear the Discover Routes
6. Click OK.

Okta will be added to the list of discoverable devices.

7. Select the Okta device and click Discover.
8. After discovery completes, go to CMDB > Users to view the discovered users.

You may need to click Refresh for the user tree hierarchy to load.

Adding 2-factor Authentication via Duo Security

Obtain keys for FortiSIEM to communicate with Duo Security

1. Sign up for a Duo Security account: This will be admin account for Duo Security.
2. Log in to Duo Security Admin Panel and navigate to Applications
3. Click Protect an Application. Locate Web SDK in the applications.
4. Get Duo Server Name, Integration key, Secret key from the page. You will need it when you configure FortiSIEM.
5. Generate Application key as a long string. This is a password that Duo Security will not know. You can choose any 40 character long string or generate it as follows using python

Create and Manage FortiSIEM users in Duo Security

This determines how the 2-factor authentication response page will look like in FortiSIEM and how user will respond to the second factor authentication challenge

1. Log in to Duo Security as admin user
2. Choose the Logo which will be shown to users as they log on
3. Choose the super set of 2-factor Authentication Methods.
4. Optional – you can create the specific users that will logon via FortiSIEM. If the users are not pre-created here, then user accounts will be created automatically when they attempt 2-factor authentication for the first time.

Add 2-factor authentication option for FortiSIEM users

1. Create a 2-factor authentication profile
   1. Go to Admin > General Settings > External Authentication. b. Click Add
      1. Enter Name
      2. Set Organization to be the scopre of the users who will be authenticated.
         1. For AO-VA, specify System.
         2. For AO-SP, specify System if this will be used globally. Else specify a specific organization

• Set Protocol as Duo

1. Set IP/Host as the host name of Duo Security Server from Step 4 in “Obtain keys for FortiSIEM to communicate with

Duo Security”

1. Set Integration key, Secret key from Step 4 in “Obtain keys for FortiSIEM to communicate with Duo Security”
2. Set Application key from Step 5 in “Obtain keys for FortiSIEM to communicate with Duo Security” vii. Click Save

2. Add the 2-factor authentication profile to an user
   1. Go to CMDB > User
   2. Select a specific user
   3. Check Second Factor checkbox
   4. Select the 2-factor authentication profile created in Step 1
   5. Click Save

Login to FortiSIEM using 2-factor authentication

Before logging in to FortiSIEM with 2-factor authentication, make sure that the three steps are completed.

Obtain keys for FortiSIEM to communicate with Duo Security

Create and Manage FortiSIEM users in Duo Security

Add 2-factor authentication option for FortiSIEM users

Follow these steps

1. Logon to FortiSIEM normally (first factor) using the credential defined in FortiSIEM – local or external in LDAP
2. If the 2-factor authentication is enabled, the user will now be redirected to the 2-factor step
   1. If the user is not created in Duo system (by Duo admin), a setup wizard will let you set some basic information like phone number and ask you download the Duo app.
   2. If the user already exists in FortiSIEM, then follow the authentication method and click Log in The user will be able to log in to FortiSIEM