integrate Fortigate (or FortiAnalyzer ) with security onion ?

[soceng]

Version

2.4.100

Installation Method

Security Onion ISO image

Description

installation

Installation Type

Standalone

Location

airgap

Hardware Specs

Exceeds minimum requirements

CPU

6

RAM

24 GB

Storage for /

500

Storage for /nsm

326 GB

Network Traffic Collection

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I am running a standalone on-prem deployment installed from the ISO image, and I am trying to get syslogs sent from my Fortigates firewalls to appear in Kibana.

First i will share my installation info
i have VMware Esxi , i configured to adapters one for management and the second for sniffing.

Installation Mode : Standalone
Managment IP : 10.240.x.y
Airgap : True
Proxy :NA
Allowed IP or subnet ( Sniffing Interface ) : 10.240.0.0/24 ( i have tried to assign specific IP like 10.240.0.204 but when i tried to access it via web from my workstation i couldn't only from machine from the same subnet 10.240.0x.x so i assigned it this full subnet )

on my Fortigate on syslog server menu i added 10.240.0.0 and port number 9004 as UDP
is this configuration correct or shoud i add single IP which is the sniffing interface of SO ?
then i I have added the fortigate integration to the "so-grid-nodes_general" agent policy

I have created a custom host group and custom port group with my fortigate IPs and the port 9004 respectively, (I've also assigned the custom port group to the custom host group)

here is the tcpdump output taken from the standalone node , only events sourced from my devices is shown on the output

Here is the contet of logstash.log
logstach.txt

The issue is first want to check if my security onion installation is correct with the above specifications specifically the sniffer IF IP ?
then till now i didn't see any alerts or got any event's on standalone nodes as the output of tcpdum is show only my devices event's ( SSH event of my connection to the standalone node )
Thanks
i appreciate the assistance

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[soceng]

i changed the IP configurations as below , and did tcpdump on the sniffing interface ens224 but it's still on listening no events have received .

management interface : 10.240.3.204
allowed IP or subnet ( sniffing ) : 10.240.0.204 same subnet of FG
on the syslog FW menu i put the below IP

[TotieBash]

Yeah this will not work. The FG should be pointed to "10.240.3.204" which is SO mgmt interface. The FG needs to be able to ping the SO or have network connectivity for port 9004 to work.

[InfosecGoon]

You want to send the Fortinet logs to the Management interface IP on port 9004 and make sure that the customportgroup0 is assigned to customhostgroup0 in the Standalone role.

Also make sure that you're running a current version of SO, Fortinet integration didn't work earlier and 2.4.100 doesn't exist so I'm not sure what you're on.

[soceng]

@InfosecGoon InfosecGoon : Thanks for your reply , I want to send the log of FortiGate to the sniffing interface but i have confused on the interface settings of SO on the Hosts and during SO installation

as i listed above, the deployment was on VMware Esxi Host version 7 , I configured two NIC's one for management ens192 and the second for the Sniffing ens224 .

during the installation I assigned the IP 10.240.3.204 for MGMT with interface joined to the management NIC's on Host (ens192 ) then during the installation asked me to provide the allowed IP or subnet and I put 10.240.0.204 ( Ip on the same subnet of FortiGate)
my questions , on the syslog menu on FortiGate should i put IP ( 10.240.0.204 ) to send it the Log or should send it to the IP of sniffing Nic's of the Host (the one configured during VM creation )

the second question is the IP requested to be listed on the allowed IP or subnet during installation is for receiving the log from FortiGate or for the allowed IP to access the analyst and SO ?

i runing the last version of SO

[TotieBash]

"during the installation I assigned the IP 10.240.3.204 for MGMT with interface joined to the management NIC's on Host (ens192 )" - This mgmt interface is where you will receive the fortigate logs. Which you corrected already.

"then during the installation asked me to provide the allowed IP or subnet and I put 10.240.0.204 ( Ip on the same subnet of FortiGate)" - That "allowed IP" is really for your management workstation you will use to manage SO. For example if you want to manage SO from your MacOS, you give it the IP address of your MacOS or you can give an entire CIDR block. Its just permitting 443 on firewalld so your MacOS is allowed to come in https.

"my questions , on the syslog menu on FortiGate should i put IP ( 10.240.0.204 ) to send it the Log or should send it to the IP of sniffing Nic's of the Host (the one configured during VM creation )" - No. Think of the sniffing interface are for all your passive ingest of live data/pcap. In which the SO tools Suricata, Zeek and Stenographer uses to ingest data. Infact typically there is no IP address on the sniffing interface. The active tools like ingesting Fortigate logs uses the management interface.

"the second question is the IP requested to be listed on the allowed IP or subnet during installation is for receiving the log from FortiGate" - NO. However the mgmt interface secondary role is for ingesting external logs like your Fortigate logs.

"or for the allowed IP to access the analyst and SO ?" - YES. This is the primary role of the mgmt interface.

To get your issue iron out you need to follow this instructions to the T:
https://docs.securityonion.net/en/2.4/pfsense.html
also use #12055
Also use this youtube for reference: https://www.youtube.com/watch?v=aoH8qZwAxek
I think with these material you should get your issue sort out.

[soceng]

I already Saw this video and read The documentation but they didn't State or list to which IP will send The log of FortiGate . I will be thankful and grateful to you if you reply to My two questions on The past post . my questions , on the syslog menu on FortiGate should i put IP ( 10.240.0.204 ) to send it the Log or should send it to the IP of sniffing Nic's of the Host (the one configured during VM creation )" - No. Think of the sniffing interface are for all your passive ingest of live data/pcap. In which the SO tools Suricata, Zeek and Stenographer uses to ingest data. Infact typically there is no IP address on the sniffing interface. The active tools like ingesting Fortigate logs uses the management interface. "the second question is the IP requested to be listed on the allowed IP or subnet during installation is for receiving the log from FortiGate" - NO. However the mgmt interface secondary role is for ingesting external logs like your Fortigate logs. "or for the allowed IP to access the analyst and SO ?" - YES. This is the primary role of the mgmt interface.

…

On Fri, Apr 26, 2024, 7:39 PM TotieBash ***@***.***> wrote: "during the installation I assigned the IP 10.240.3.204 for MGMT with interface joined to the management NIC's on Host (ens192 )" - This mgmt interface is where you will receive the fortigate logs. Which you corrected already. "then during the installation asked me to provide the allowed IP or subnet and I put 10.240.0.204 ( Ip on the same subnet of FortiGate)" - That "allowed IP" is really for your management workstation you will use to manage SO. For example if you want to manage SO from your MacOS, you give it the IP address of your MacOS or you can give an entire CIDR block. Its just permitting 443 on firewalld so your MacOS is allowed to come in https. "my questions , on the syslog menu on FortiGate should i put IP ( 10.240.0.204 ) to send it the Log or should send it to the IP of sniffing Nic's of the Host (the one configured during VM creation )" - No. Think of the sniffing interface are for all your passive ingest of live data/pcap. In which the SO tools Suricata, Zeek and Stenographer uses to ingest data. Infact typically there is no IP address on the sniffing interface. The active tools like ingesting Fortigate logs uses the management interface. "the second question is the IP requested to be listed on the allowed IP or subnet during installation is for receiving the log from FortiGate" - NO. However the mgmt interface secondary role is for ingesting external logs like your Fortigate logs. "or for the allowed IP to access the analyst and SO ?" - YES. This is the primary role of the mgmt interface. To get your issue iron out you need to follow this instructions to the T: https://docs.securityonion.net/en/2.4/pfsense.html also use #12055 <#12055> Also use this youtube for reference: https://www.youtube.com/watch?v=aoH8qZwAxek I think with these material you should get your issue sort out. — Reply to this email directly, view it on GitHub <#12833 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ANTT2VBBDO6FMQA64HNW6ZLY7J7NXAVCNFSM6AAAAABGRC2BQSVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TEMZZGU3DS> . You are receiving this because you authored the thread.Message ID: <Security-Onion-Solutions/securityonion/repo-discussions/12833/comments/9239569 @github.com>

[TotieBash]

so sorry, I'm confuse are you still asking what interface to send the logs from fortigate? Are you still asking wheter to send it to mgmt vs sniffing interface?

[TotieBash]

Can you screen shot the result of the following commands:

1. This will tell us if the Elastic Fleet integration and the Elastic agent is configured properly.
   ss -tulpn | grep 9004

2. This will tell us if the firewall section is configured properly.
   iptables --list -n | grep 9004

3. Finally, this will tell us if the Fortigate syslogs are reaching SO mgmt interface. Assuming your mgmt interface is 'ens192' here is the syntax:
   tcpdump -i ens192 -nnA port 9004

[soceng]

Thanks @TotieBash for your clarification and assist.
here is the output of the required commands.
1- ss -tulpn | grep 9004

2- no output for IPTABLE with port 9004
3- tcpdump -i ens192 -nnA port 9004
here is sample for the output of tcpdump

till now , no alert has seen on the alerts menu or events on Hunt menu on SO Dashboards .

[TotieBash]

1 - Looks good. You have SO configured to listen on UDP 9004.
3 - Looks good. The packets are coming in from Fortigate to SO on UDP 9004.
2 - Is bad. It means iptables is not configured or misconfigured.
Follow REF: https://docs.securityonion.net/en/2.4/pfsense.html#elastic-integration-for-pfsense

Also, use #12245 for reference.

[soceng]

already did these configurations on customhostgroup0 and customportgroup0

i put the IP of FG's

[soceng]

@TotieBash
i re-configure the FW then sync and reboot SO
the output of Iptables

but till now no alerts or events on the Dashboard

[TotieBash]

Did you add 10.240.0.0/24 or 10.240.0.201/32? either one should work for you but I would put 10.240.0.0/24 for now. Later you can lock it down.

Also check the logs to make sure it is not being drop by the kernel.
journalctl -k | grep 9004

[soceng]

@TotieBash
no dropped log as i checked by command line and Dashboard

also i browsed the content of the path /opt/so/log/logstash/logstash.log , there are lot of events

[TotieBash]

Did you add:
10.240.0.0/24?
or
10.240.0.201/32?

[soceng]

@TotieBash
10.240.0.201 without masking on customhostgroup

[soceng]

@TotieBash
here is the content of logstash

[2024-05-26T07:07:08,186][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[>[2024-05-26T07:07:09,488][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"https://so_elastic:xxxxx>[2024-05-26T07:07:09,527][INFO ][logstash.outputs.elasticsearch] Elasticsearch version determined (8.10.4) {:es_version=>8}
[2024-05-26T07:07:09,527][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the type event field won't be u>[2024-05-26T07:07:09,592][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch>[2024-05-26T07:07:09,592][WARN ][logstash.outputs.elasticsearch] You have enabled encryption but DISABLED certificate verification, >[2024-05-26T07:07:09,598][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[>[2024-05-26T07:07:09,709][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"https://so_elastic:xxxxx>[2024-05-26T07:07:09,721][INFO ][logstash.outputs.elasticsearch] Elasticsearch version determined (8.10.4) {:es_version=>8}
[2024-05-26T07:07:09,722][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the type event field won't be u>[2024-05-26T07:07:09,760][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch>[2024-05-26T07:07:09,761][WARN ][logstash.outputs.elasticsearch] You have enabled encryption but DISABLED certificate verification, >[2024-05-26T07:07:09,770][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[>[2024-05-26T07:07:09,867][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"https://so_elastic:xxxxx>[2024-05-26T07:07:09,876][INFO ][logstash.outputs.elasticsearch] Elasticsearch version determined (8.10.4) {:es_version=>8}
[2024-05-26T07:07:09,876][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the type event field won't be u>[2024-05-26T07:07:09,900][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch>[2024-05-26T07:07:09,901][WARN ][logstash.outputs.elasticsearch] You have enabled encryption but DISABLED certificate verification, >[2024-05-26T07:07:09,908][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[>[2024-05-26T07:07:10,111][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"https://so_elastic:xxxxx>[2024-05-26T07:07:10,144][INFO ][logstash.outputs.elasticsearch] Elasticsearch version determined (8.10.4) {:es_version=>8}
[2024-05-26T07:07:10,144][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the type event field won't be u>[2024-05-26T07:07:10,190][INFO ][logstash.outputs.elasticsearch] Not eligible for data streams because ecs_compatibility is not enab>[2024-05-26T07:07:10,190][INFO ][logstash.outputs.elasticsearch] Data streams auto configuration (data_stream => auto or unset) re>[2024-05-26T07:07:10,202][INFO ][logstash.javapipeline ] Starting pipeline {:pipeline_id=>"search", "pipeline.workers"=>4, "pipel>[2024-05-26T07:07:10,223][INFO ][logstash.outputs.elasticsearch] Using a default mapping template {:es_version=>8, :ecs_compatibilit>[2024-05-26T07:07:11,202][INFO ][logstash.javapipeline ] Pipeline Java execution initialization time {"seconds"=>3.24}
[2024-05-26T07:07:11,596][INFO ][logstash.javapipeline ] Pipeline Java execution initialization time {"seconds"=>1.39}
[2024-05-26T07:07:11,719][INFO ][logstash.inputs.redis ] Registering Redis {:identity=>"redis://@hsa-so:9696/0 list:log>