Skip to main content

Fortinet Fortiweb

Download With Dependencies

Fortiweb integration allows to manage WAF policies and block cookies, URLs, and hostnames.

Fortinet Fortiweb Pack

Fortinet Fortiweb enables you to manage WAF policies, block cookies, URLs, hostnames.

What does this pack do?

Fortiweb Cloud

  • XDM Mapping for Attack, Audit and Traffic logs in CEF format.
  • Timestamp ingestion for Attack, Audit and Traffic logs.

Fortiweb VM

  • XDM Mapping for Attack and Traffic logs in CEF format.
  • Timestamp ingestion for Attack and Traffic logs.
  • Create, update, delete, or retrieve protected hostnames, groups, and members.
  • Create, update, delete, or retrieve IP lists groups and members.
  • Create, update, delete, or retrieve Geo IP groups and members.
  • Create, update, delete, or retrieve server policies.
  • Create, update, delete, or retrieve whitelist members.
  • Retrieve information and status of the systems.

This pack contains an integration, whose main purpose is to perform controlled changes on hosted web applications.

Collect Events from Vendor

In order to receive logs, use the Broker VM option.

For Traffic logs via Fortiweb Cloud, you are required to send the logs with Amazon S3 services.

Fortiweb Cloud

Audit Logs

  1. Go to GlobalSystem SettingsSettings.
  2. Enable Audit Logs Export.
  3. Configure the following mandatory settings:
Field Name Value
Server Type Syslog
IP/Domain and Port IP & Port
Protocol TCP
Log Format CEF
  1. Click Save.

Attack Logs

  1. Go to Log Settings.
  2. Enable Attack Log Export.
  3. Click Add Log Server.
  4. Configure the following mandatory settings:
Field Name Value
Server Type Syslog
IP/Domain and Port IP & Port
Protocol TCP
Log Format CEF
  1. Click OK.

Traffic Logs (AWS S3)

  1. Go to Log Settings.
  2. Enable Traffic Log Export.
  3. Configure the following mandatory settings:
Field Name Value
Server Type AWS S3
Bucket Name Enter the AWS S3 bucket name.
Region Enter the region code, for example, ap-southeast-1.
Access Key ID Enter the access key ID of the S3 bucket.
Secret Key ID Enter the secret key ID of the S3 bucket.
Prefix / Folder Enter the prefix / folder to store the traffic log.
  1. Click Save.


Fortiweb VM

Enable Logging

  1. First, configure a SIEM Policy. Before you can log the resource, you enable logging for the log type that you want to use as a trigger.
  2. Log&ReportLog ConfigOther Log Settings.
  3. Make sure that the Attack, Traffic and Event logs checkboxes are marked.
  4. Click Apply.

Configure a SIEM Policy

  1. Before you can log to the resource, you enable logging for the log type that you want to use as a trigger.
  2. Go to Log&ReportLog PolicySIEM Policy.
  3. For Policy Name, enter a unique name that other parts of the configuration can reference.
  4. Click Create New, set the Policy Type to ArcSight CEF.
  5. Input an IP address and port for the server.
  6. Click OK.

Configure Log Settings

  1. Go to Log&ReportLog ConfigGlobal Log Settings.
  2. Configure and enable a SIEM setting option:
Field Name Value
Log Level Select the severity level that a log message must equal or exceed in order to be recorded to this storage location.
SIEM Policy Select the policy to use when storing log messages remotely.
  1. Click Apply.

Fortinet Fortiweb Pack

Fortinet Fortiweb enables you to manage WAF policies, block cookies, URLs, hostnames.

What does this pack do?

Fortiweb Cloud

  • XDM Mapping for Attack, Audit and Traffic logs in CEF format.
  • Timestamp ingestion for Attack, Audit and Traffic logs.

Fortiweb VM

  • XDM Mapping for Attack and Traffic logs in CEF format.
  • Timestamp ingestion for Attack and Traffic logs.
  • Create, update, delete, or retrieve protected hostnames, groups, and members.
  • Create, update, delete, or retrieve IP lists groups and members.
  • Create, update, delete, or retrieve Geo IP groups and members.
  • Create, update, delete, or retrieve server policies.
  • Create, update, delete, or retrieve whitelist members.
  • Retrieve information and status of the systems.

This pack contains an integration, whose main purpose is to perform controlled changes on hosted web applications.

Collect Events from Vendor

In order to receive logs, use the Broker VM option.

For Traffic logs via Fortiweb Cloud, you are required to send the logs with Amazon S3 services.

Fortiweb Cloud

Audit Logs

  1. Go to GlobalSystem SettingsSettings.
  2. Enable Audit Logs Export.
  3. Configure the following mandatory settings:
Field Name Value
Server Type Syslog
IP/Domain and Port IP & Port
Protocol TCP
Log Format CEF
  1. Click Save.

Attack Logs

  1. Go to Log Settings.
  2. Enable Attack Log Export.
  3. Click Add Log Server.
  4. Configure the following mandatory settings:
Field Name Value
Server Type Syslog
IP/Domain and Port IP & Port
Protocol TCP
Log Format CEF
  1. Click OK.

Traffic Logs (AWS S3)

  1. Go to Log Settings.
  2. Enable Traffic Log Export.
  3. Configure the following mandatory settings:
Field Name Value
Server Type AWS S3
Bucket Name Enter the AWS S3 bucket name.
Region Enter the region code, for example, ap-southeast-1.
Access Key ID Enter the access key ID of the S3 bucket.
Secret Key ID Enter the secret key ID of the S3 bucket.
Prefix / Folder Enter the prefix / folder to store the traffic log.
  1. Click Save.


Fortiweb VM

Enable Logging

  1. First, configure a SIEM Policy. Before you can log the resource, you enable logging for the log type that you want to use as a trigger.
  2. Log&ReportLog ConfigOther Log Settings.
  3. Make sure that the Attack, Traffic and Event logs checkboxes are marked.
  4. Click Apply.

Configure a SIEM Policy

  1. Before you can log to the resource, you enable logging for the log type that you want to use as a trigger.
  2. Go to Log&ReportLog PolicySIEM Policy.
  3. For Policy Name, enter a unique name that other parts of the configuration can reference.
  4. Click Create New, set the Policy Type to ArcSight CEF.
  5. Input an IP address and port for the server.
  6. Click OK.

Configure Log Settings

  1. Go to Log&ReportLog ConfigGlobal Log Settings.
  2. Configure and enable a SIEM setting option:
Field Name Value
Log Level Select the severity level that a log message must equal or exceed in order to be recorded to this storage location.
SIEM Policy Select the policy to use when storing log messages remotely.
  1. Click Apply.

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedJanuary 23, 2023
Last ReleaseSeptember 12, 2024
WORKS WITH THE FOLLOWING INTEGRATIONS:
DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.