-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Fortinet Fortigate] Change default TCP framing to RFC 6587 #7516
[Fortinet Fortigate] Change default TCP framing to RFC 6587 #7516
Conversation
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
🌐 Coverage report
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This topic has always confused me and don't think I've ever gotten a firm answer on it. RFC 6587 specifies both octet counting framing (which is what framing: rfc6587
does here) and non-transparent framing (which is what framing: delimiter
does). Were you able to confirm with PCAPs which method Fortigate uses?
Changing the default runs the risk of breaking existing deployments if they're relying on the currently established behavior. If, however, we should be using octet counting framing (and non-transparent framing was never supported by Fortigate), then it would be good to make this change.
Edit: Okay I misunderstood what framing: rfc6587
did, it can handle either framing type. That would explain why the system tests continue to pass 👍.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Much appreciated your review @taylor-swanson! I would also like to have the opinion of @P1llus as he has been involved in the issue. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As long as we can say for certain that framing will be enabled by default from the fortigate side, this is fine. I was thinking worst case scenario, we might want to keep it commented out.
I was just thinking this should have been reported more often if framing was a big issue? Or maybe TCP is not used that frequently.
Except that, all LGTM :)
Based on this piece of docs |
Package fortinet_fortigate - 1.16.1 containing this change is available at https://epr.elastic.co/search?package=fortinet_fortigate |
* Change default TCP framing to rfc6587 * Update changelog
What does this PR do?
reliable
, it uses RFC 6587 for TCP forwarding.The framing value has been set to
rfc6587
by default because I assume that the reliable mode should be the default one when forwarding over TCP syslog from Fortigate, the other available option islegacy-reliable
.Checklist
changelog.yml
file.