Fortinet

Review configuration options for Fortinet firewalls in RocketCyber

Fortiguard block events

Fortiguard is Fortinet's heuristic for predicting what traffic should be blocked.

FortiGuard block events often have lower noise than allow events, since they only occur when the firewall believes something is wrong (whereas allow events will be extremely common even if all traffic is legitimate).

ActiveX allow events

ActiveX is bad.

Kill it with fire.

Intrusion attempts (both) The two intrusion attempt categories handle different situations, so it is advised that both stay enabled
Antivirus alerts Firewall AV is the first chance to catch a virus entering your network. It is important to stay informed of this attack vector
Reputation lookup on connecting IPs This will monitor traffic and inform you only of unexpected traffic or traffic coming from unusual locations (e.g. countries on the Enabled Countries list).

Log Format

The expected format for Fortinet logs is space-separated.  For example

<189>date=2019-12-23 time=11:52:21 devname="FG2AAAA802121" devid="FG2AAAA802121" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1577123541 srcip=192.168.10.201 srcport=52770 srcintf="port1" srcintfrole="lan" dstip=216.78.197.170 dstport=443 dstintf="wan1" dstintfrole="wan" poluuid="7457ac76-f7a7-51e5-41cd-55962f7d7c0a" sessionid=179748073 proto=6 action="close" policyid=1 policytype="policy" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=97.107.127.97 transport=52770 appid=42577 app="Google.Services" appcat="General.Interest" apprisk="elevated" applist="default" duration=551 sentbyte=37898 rcvdbyte=329224 sentpkt=208 rcvdpkt=441 utmaction="allow" countweb=1 countapp=1 sentdelta=461 rcvddelta=278 devtype="Router/NAT Device" devcategory="None" mastersrcmac="02:04:96:aa:aa:bb" srcmac="02:04:96:aa:aa:cc" srcserver=0